package org.xdi.oxauth.model.token;

import java.io.UnsupportedEncodingException;
import java.security.SignatureException;
import java.util.ArrayList;
import java.util.Calendar;
import java.util.Date;
import java.util.Iterator;
import java.util.List;
import java.util.Set;
import java.util.UUID;
import org.apache.commons.lang.StringUtils;
import org.codehaus.jettison.json.JSONArray;
import org.jboss.seam.Component;
import org.jboss.seam.ScopeType;
import org.jboss.seam.annotations.AutoCreate;
import org.jboss.seam.annotations.In;
import org.jboss.seam.annotations.Name;
import org.jboss.seam.annotations.Scope;
import org.jboss.seam.contexts.Contexts;
import org.jboss.seam.contexts.Lifecycle;
import org.xdi.model.GluuAttribute;
import org.xdi.oxauth.model.authorize.Claim;
import org.xdi.oxauth.model.common.AccessToken;
import org.xdi.oxauth.model.common.AuthorizationCode;
import org.xdi.oxauth.model.common.IAuthorizationGrant;
import org.xdi.oxauth.model.common.SubjectType;
import org.xdi.oxauth.model.config.ConfigurationFactory;
import org.xdi.oxauth.model.crypto.encryption.BlockEncryptionAlgorithm;
import org.xdi.oxauth.model.crypto.encryption.KeyEncryptionAlgorithm;
import org.xdi.oxauth.model.crypto.signature.ECDSAPrivateKey;
import org.xdi.oxauth.model.crypto.signature.RSAPrivateKey;
import org.xdi.oxauth.model.crypto.signature.RSAPublicKey;
import org.xdi.oxauth.model.crypto.signature.SignatureAlgorithm;
import org.xdi.oxauth.model.exception.InvalidClaimException;
import org.xdi.oxauth.model.exception.InvalidJweException;
import org.xdi.oxauth.model.exception.InvalidJwtException;
import org.xdi.oxauth.model.jwe.Jwe;
import org.xdi.oxauth.model.jwe.JweEncrypterImpl;
import org.xdi.oxauth.model.jwk.JSONWebKey;
import org.xdi.oxauth.model.jwk.JSONWebKeySet;
import org.xdi.oxauth.model.jws.ECDSASigner;
import org.xdi.oxauth.model.jws.HMACSigner;
import org.xdi.oxauth.model.jws.RSASigner;
import org.xdi.oxauth.model.jwt.Jwt;
import org.xdi.oxauth.model.jwt.JwtSubClaimObject;
import org.xdi.oxauth.model.jwt.JwtType;
import org.xdi.oxauth.model.ldap.PairwiseIdentifier;
import org.xdi.oxauth.model.util.JwtUtil;
import org.xdi.oxauth.service.AttributeService;
import org.xdi.oxauth.service.PairwiseIdentifierService;
import org.xdi.oxauth.service.ScopeService;
import org.xdi.oxauth.service.external.ExternalDynamicScopeService;
import org.xdi.oxauth.service.fido.u2f.RawRegistrationService;
import org.xdi.util.security.StringEncrypter;

@Name("idTokenFactory")
@AutoCreate
@Scope(ScopeType.STATELESS)
/* loaded from: input_file:org/xdi/oxauth/model/token/IdTokenFactory.class */
public class IdTokenFactory {

    @In
    private ExternalDynamicScopeService externalDynamicScopeService;

    @In
    private ScopeService scopeService;

    @In
    private AttributeService attributeService;

    @In
    private ConfigurationFactory configurationFactory;

    @In
    private PairwiseIdentifierService pairwiseIdentifierService;

    /* JADX INFO: Access modifiers changed from: package-private */
    /* renamed from: org.xdi.oxauth.model.token.IdTokenFactory$1, reason: invalid class name */
    /* loaded from: input_file:org/xdi/oxauth/model/token/IdTokenFactory$1.class */
    public static /* synthetic */ class AnonymousClass1 {
        static final /* synthetic */ int[] $SwitchMap$org$xdi$oxauth$model$crypto$signature$SignatureAlgorithm = new int[SignatureAlgorithm.values().length];

        static {
            try {
                $SwitchMap$org$xdi$oxauth$model$crypto$signature$SignatureAlgorithm[SignatureAlgorithm.HS256.ordinal()] = 1;
            } catch (NoSuchFieldError e) {
            }
            try {
                $SwitchMap$org$xdi$oxauth$model$crypto$signature$SignatureAlgorithm[SignatureAlgorithm.HS384.ordinal()] = 2;
            } catch (NoSuchFieldError e2) {
            }
            try {
                $SwitchMap$org$xdi$oxauth$model$crypto$signature$SignatureAlgorithm[SignatureAlgorithm.HS512.ordinal()] = 3;
            } catch (NoSuchFieldError e3) {
            }
            try {
                $SwitchMap$org$xdi$oxauth$model$crypto$signature$SignatureAlgorithm[SignatureAlgorithm.RS256.ordinal()] = 4;
            } catch (NoSuchFieldError e4) {
            }
            try {
                $SwitchMap$org$xdi$oxauth$model$crypto$signature$SignatureAlgorithm[SignatureAlgorithm.RS384.ordinal()] = 5;
            } catch (NoSuchFieldError e5) {
            }
            try {
                $SwitchMap$org$xdi$oxauth$model$crypto$signature$SignatureAlgorithm[SignatureAlgorithm.RS512.ordinal()] = 6;
            } catch (NoSuchFieldError e6) {
            }
            try {
                $SwitchMap$org$xdi$oxauth$model$crypto$signature$SignatureAlgorithm[SignatureAlgorithm.ES256.ordinal()] = 7;
            } catch (NoSuchFieldError e7) {
            }
            try {
                $SwitchMap$org$xdi$oxauth$model$crypto$signature$SignatureAlgorithm[SignatureAlgorithm.ES384.ordinal()] = 8;
            } catch (NoSuchFieldError e8) {
            }
            try {
                $SwitchMap$org$xdi$oxauth$model$crypto$signature$SignatureAlgorithm[SignatureAlgorithm.ES512.ordinal()] = 9;
            } catch (NoSuchFieldError e9) {
            }
            try {
                $SwitchMap$org$xdi$oxauth$model$crypto$signature$SignatureAlgorithm[SignatureAlgorithm.NONE.ordinal()] = 10;
            } catch (NoSuchFieldError e10) {
            }
        }
    }

    public Jwt generateSignedIdToken(IAuthorizationGrant iAuthorizationGrant, String str, AuthorizationCode authorizationCode, AccessToken accessToken, Set<String> set) throws SignatureException, InvalidJwtException, StringEncrypter.EncryptionException, InvalidClaimException {
        JsonWebResponse jwt = new Jwt();
        JSONWebKeySet webKeys = ConfigurationFactory.instance().getWebKeys();
        SignatureAlgorithm fromName = SignatureAlgorithm.fromName(ConfigurationFactory.instance().getConfiguration().getDefaultSignatureAlgorithm());
        if (iAuthorizationGrant.getClient() != null && iAuthorizationGrant.getClient().getIdTokenSignedResponseAlg() != null) {
            fromName = SignatureAlgorithm.fromName(iAuthorizationGrant.getClient().getIdTokenSignedResponseAlg());
        }
        if (fromName == SignatureAlgorithm.NONE) {
            jwt.getHeader().setType(JwtType.JWT);
        } else {
            jwt.getHeader().setType(JwtType.JWS);
        }
        jwt.getHeader().setAlgorithm(fromName);
        List keys = webKeys.getKeys(fromName);
        if (keys.size() > 0) {
            jwt.getHeader().setKeyId(((JSONWebKey) keys.get(0)).getKeyId());
        }
        jwt.getClaims().setIssuer(ConfigurationFactory.instance().getConfiguration().getIssuer());
        jwt.getClaims().setAudience(iAuthorizationGrant.getClient().getClientId());
        int idTokenLifetime = ConfigurationFactory.instance().getConfiguration().getIdTokenLifetime();
        Calendar calendar = Calendar.getInstance();
        Date time = calendar.getTime();
        calendar.add(13, idTokenLifetime);
        jwt.getClaims().setExpirationTime(calendar.getTime());
        jwt.getClaims().setIssuedAt(time);
        if (iAuthorizationGrant.getAcrValues() != null) {
            jwt.getClaims().setClaim("acr", iAuthorizationGrant.getAcrValues());
        }
        if (StringUtils.isNotBlank(str)) {
            jwt.getClaims().setClaim("nonce", str);
        }
        if (iAuthorizationGrant.getAuthenticationTime() != null) {
            jwt.getClaims().setClaim("auth_time", iAuthorizationGrant.getAuthenticationTime());
        }
        if (authorizationCode != null) {
            jwt.getClaims().setClaim("c_hash", authorizationCode.getHash(fromName));
        }
        if (accessToken != null) {
            jwt.getClaims().setClaim("at_hash", accessToken.getHash(fromName));
        }
        jwt.getClaims().setClaim("oxValidationURI", ConfigurationFactory.instance().getConfiguration().getCheckSessionIFrame());
        jwt.getClaims().setClaim("oxOpenIDConnectVersion", ConfigurationFactory.instance().getConfiguration().getOxOpenIdConnectVersion());
        ArrayList arrayList = new ArrayList();
        Iterator<String> it = set.iterator();
        while (it.hasNext()) {
            org.xdi.oxauth.model.common.Scope scopeByDisplayName = this.scopeService.getScopeByDisplayName(it.next());
            if (scopeByDisplayName != null && org.xdi.oxauth.model.common.ScopeType.DYNAMIC == scopeByDisplayName.getScopeType()) {
                arrayList.add(scopeByDisplayName.getDisplayName());
            } else if (scopeByDisplayName != null && scopeByDisplayName.getOxAuthClaims() != null) {
                if (scopeByDisplayName.getIsOxAuthGroupClaims()) {
                    JwtSubClaimObject jwtSubClaimObject = new JwtSubClaimObject();
                    jwtSubClaimObject.setName(scopeByDisplayName.getDisplayName());
                    Iterator<String> it2 = scopeByDisplayName.getOxAuthClaims().iterator();
                    while (it2.hasNext()) {
                        GluuAttribute attributeByDn = this.attributeService.getAttributeByDn(it2.next());
                        String oxAuthClaimName = attributeByDn.getOxAuthClaimName();
                        String name = attributeByDn.getName();
                        if (StringUtils.isNotBlank(oxAuthClaimName) && StringUtils.isNotBlank(name)) {
                            jwtSubClaimObject.setClaim(oxAuthClaimName, name.equals("uid") ? iAuthorizationGrant.getUser().getUserId() : iAuthorizationGrant.getUser().getAttribute(attributeByDn.getName()));
                        }
                    }
                    jwt.getClaims().setClaim(scopeByDisplayName.getDisplayName(), jwtSubClaimObject);
                } else {
                    Iterator<String> it3 = scopeByDisplayName.getOxAuthClaims().iterator();
                    while (it3.hasNext()) {
                        GluuAttribute attributeByDn2 = this.attributeService.getAttributeByDn(it3.next());
                        String oxAuthClaimName2 = attributeByDn2.getOxAuthClaimName();
                        String name2 = attributeByDn2.getName();
                        if (StringUtils.isNotBlank(oxAuthClaimName2) && StringUtils.isNotBlank(name2)) {
                            jwt.getClaims().setClaim(oxAuthClaimName2, name2.equals("uid") ? iAuthorizationGrant.getUser().getUserId() : iAuthorizationGrant.getUser().getAttribute(attributeByDn2.getName()));
                        }
                    }
                }
            }
        }
        if (iAuthorizationGrant.getJwtAuthorizationRequest() != null && iAuthorizationGrant.getJwtAuthorizationRequest().getIdTokenMember() != null) {
            for (Claim claim : iAuthorizationGrant.getJwtAuthorizationRequest().getIdTokenMember().getClaims()) {
                GluuAttribute byClaimName = this.attributeService.getByClaimName(claim.getName());
                if (byClaimName != null) {
                    Object attribute = iAuthorizationGrant.getUser().getAttribute(byClaimName.getName(), true);
                    if (attribute != null) {
                        if (attribute instanceof JSONArray) {
                            JSONArray jSONArray = (JSONArray) attribute;
                            ArrayList arrayList2 = new ArrayList();
                            for (int i = 0; i < jSONArray.length(); i++) {
                                String optString = jSONArray.optString(i);
                                if (optString != null) {
                                    arrayList2.add(optString);
                                }
                            }
                            jwt.getClaims().setClaim(claim.getName(), arrayList2);
                        } else {
                            jwt.getClaims().setClaim(claim.getName(), (String) attribute);
                        }
                    }
                }
            }
        }
        if (iAuthorizationGrant.getClient().getSubjectType() == null || !SubjectType.fromString(iAuthorizationGrant.getClient().getSubjectType()).equals(SubjectType.PAIRWISE)) {
            jwt.getClaims().setSubjectIdentifier(iAuthorizationGrant.getUser().getAttribute(this.configurationFactory.getConfiguration().getOpenidSubAttribute()));
        } else {
            String sectorIdentifierUri = StringUtils.isNotBlank(iAuthorizationGrant.getClient().getSectorIdentifierUri()) ? iAuthorizationGrant.getClient().getSectorIdentifierUri() : iAuthorizationGrant.getClient().getRedirectUris()[0];
            String attribute2 = iAuthorizationGrant.getUser().getAttribute("inum");
            PairwiseIdentifier findPairWiseIdentifier = this.pairwiseIdentifierService.findPairWiseIdentifier(attribute2, sectorIdentifierUri);
            if (findPairWiseIdentifier == null) {
                findPairWiseIdentifier = new PairwiseIdentifier(sectorIdentifierUri);
                findPairWiseIdentifier.setId(UUID.randomUUID().toString());
                findPairWiseIdentifier.setDn(this.pairwiseIdentifierService.getDnForPairwiseIdentifier(findPairWiseIdentifier.getId(), attribute2));
                this.pairwiseIdentifierService.addPairwiseIdentifier(attribute2, findPairWiseIdentifier);
            }
            jwt.getClaims().setSubjectIdentifier(findPairWiseIdentifier.getId());
        }
        if (arrayList.size() > 0 && this.externalDynamicScopeService.isEnabled()) {
            this.externalDynamicScopeService.executeExternalUpdateMethods(arrayList, jwt, iAuthorizationGrant.getUser());
        }
        switch (AnonymousClass1.$SwitchMap$org$xdi$oxauth$model$crypto$signature$SignatureAlgorithm[fromName.ordinal()]) {
            case 1:
            case 2:
            case 3:
                jwt = new HMACSigner(fromName, iAuthorizationGrant.getClient().getClientSecret()).sign(jwt);
                break;
            case 4:
            case RawRegistrationService.REGISTRATION_RESERVED_BYTE_VALUE /* 5 */:
            case 6:
                JSONWebKey key = webKeys.getKey(jwt.getHeader().getClaimAsString("kid"));
                jwt = new RSASigner(fromName, new RSAPrivateKey(key.getPrivateKey().getModulus(), key.getPrivateKey().getPrivateExponent())).sign(jwt);
                break;
            case 7:
            case 8:
            case 9:
                jwt = new ECDSASigner(fromName, new ECDSAPrivateKey(webKeys.getKey(jwt.getHeader().getClaimAsString("kid")).getPrivateKey().getD())).sign(jwt);
                break;
        }
        return jwt;
    }

    public Jwe generateEncryptedIdToken(IAuthorizationGrant iAuthorizationGrant, String str, AuthorizationCode authorizationCode, AccessToken accessToken, Set<String> set) throws InvalidJweException, InvalidClaimException {
        JsonWebResponse jwe = new Jwe();
        KeyEncryptionAlgorithm fromName = KeyEncryptionAlgorithm.fromName(iAuthorizationGrant.getClient().getIdTokenEncryptedResponseAlg());
        BlockEncryptionAlgorithm fromName2 = BlockEncryptionAlgorithm.fromName(iAuthorizationGrant.getClient().getIdTokenEncryptedResponseEnc());
        jwe.getHeader().setType(JwtType.JWE);
        jwe.getHeader().setAlgorithm(fromName);
        jwe.getHeader().setEncryptionMethod(fromName2);
        jwe.getClaims().setIssuer(ConfigurationFactory.instance().getConfiguration().getIssuer());
        jwe.getClaims().setAudience(iAuthorizationGrant.getClient().getClientId());
        int idTokenLifetime = ConfigurationFactory.instance().getConfiguration().getIdTokenLifetime();
        Calendar calendar = Calendar.getInstance();
        Date time = calendar.getTime();
        calendar.add(13, idTokenLifetime);
        jwe.getClaims().setExpirationTime(calendar.getTime());
        jwe.getClaims().setIssuedAt(time);
        if (iAuthorizationGrant.getAcrValues() != null) {
            jwe.getClaims().setClaim("acr", iAuthorizationGrant.getAcrValues());
        }
        if (StringUtils.isNotBlank(str)) {
            jwe.getClaims().setClaim("nonce", str);
        }
        if (iAuthorizationGrant.getAuthenticationTime() != null) {
            jwe.getClaims().setClaim("auth_time", iAuthorizationGrant.getAuthenticationTime());
        }
        if (authorizationCode != null) {
            jwe.getClaims().setClaim("c_hash", authorizationCode.getHash(null));
        }
        if (accessToken != null) {
            jwe.getClaims().setClaim("at_hash", accessToken.getHash(null));
        }
        jwe.getClaims().setClaim("oxValidationURI", ConfigurationFactory.instance().getConfiguration().getCheckSessionIFrame());
        jwe.getClaims().setClaim("oxOpenIDConnectVersion", ConfigurationFactory.instance().getConfiguration().getOxOpenIdConnectVersion());
        ArrayList arrayList = new ArrayList();
        Iterator<String> it = set.iterator();
        while (it.hasNext()) {
            org.xdi.oxauth.model.common.Scope scopeByDisplayName = this.scopeService.getScopeByDisplayName(it.next());
            if (org.xdi.oxauth.model.common.ScopeType.DYNAMIC == scopeByDisplayName.getScopeType()) {
                arrayList.add(scopeByDisplayName.getDisplayName());
            } else if (scopeByDisplayName != null && scopeByDisplayName.getOxAuthClaims() != null) {
                Iterator<String> it2 = scopeByDisplayName.getOxAuthClaims().iterator();
                while (it2.hasNext()) {
                    GluuAttribute attributeByDn = this.attributeService.getAttributeByDn(it2.next());
                    String oxAuthClaimName = attributeByDn.getOxAuthClaimName();
                    String name = attributeByDn.getName();
                    if (StringUtils.isNotBlank(oxAuthClaimName) && StringUtils.isNotBlank(name)) {
                        jwe.getClaims().setClaim(oxAuthClaimName, name.equals("uid") ? iAuthorizationGrant.getUser().getUserId() : iAuthorizationGrant.getUser().getAttribute(attributeByDn.getName()));
                    }
                }
            }
        }
        if (iAuthorizationGrant.getJwtAuthorizationRequest() != null && iAuthorizationGrant.getJwtAuthorizationRequest().getIdTokenMember() != null) {
            for (Claim claim : iAuthorizationGrant.getJwtAuthorizationRequest().getIdTokenMember().getClaims()) {
                GluuAttribute byClaimName = this.attributeService.getByClaimName(claim.getName());
                if (byClaimName != null) {
                    Object attribute = iAuthorizationGrant.getUser().getAttribute(byClaimName.getName(), true);
                    if (attribute != null) {
                        if (attribute instanceof JSONArray) {
                            JSONArray jSONArray = (JSONArray) attribute;
                            ArrayList arrayList2 = new ArrayList();
                            for (int i = 0; i < jSONArray.length(); i++) {
                                String optString = jSONArray.optString(i);
                                if (optString != null) {
                                    arrayList2.add(optString);
                                }
                            }
                            jwe.getClaims().setClaim(claim.getName(), arrayList2);
                        } else {
                            jwe.getClaims().setClaim(claim.getName(), (String) attribute);
                        }
                    }
                }
            }
        }
        if (iAuthorizationGrant.getClient().getSubjectType() == null || !SubjectType.fromString(iAuthorizationGrant.getClient().getSubjectType()).equals(SubjectType.PAIRWISE)) {
            jwe.getClaims().setSubjectIdentifier(iAuthorizationGrant.getUser().getAttribute(this.configurationFactory.getConfiguration().getOpenidSubAttribute()));
        } else {
            String sectorIdentifierUri = StringUtils.isNotBlank(iAuthorizationGrant.getClient().getSectorIdentifierUri()) ? iAuthorizationGrant.getClient().getSectorIdentifierUri() : iAuthorizationGrant.getClient().getRedirectUris()[0];
            String attribute2 = iAuthorizationGrant.getUser().getAttribute("inum");
            PairwiseIdentifier findPairWiseIdentifier = this.pairwiseIdentifierService.findPairWiseIdentifier(attribute2, sectorIdentifierUri);
            if (findPairWiseIdentifier == null) {
                findPairWiseIdentifier = new PairwiseIdentifier(sectorIdentifierUri);
                findPairWiseIdentifier.setId(UUID.randomUUID().toString());
                findPairWiseIdentifier.setDn(this.pairwiseIdentifierService.getDnForPairwiseIdentifier(findPairWiseIdentifier.getId(), attribute2));
                this.pairwiseIdentifierService.addPairwiseIdentifier(attribute2, findPairWiseIdentifier);
            }
            jwe.getClaims().setSubjectIdentifier(findPairWiseIdentifier.getId());
        }
        if (arrayList.size() > 0 && this.externalDynamicScopeService.isEnabled()) {
            this.externalDynamicScopeService.executeExternalUpdateMethods(arrayList, jwe, iAuthorizationGrant.getUser());
        }
        if (fromName == KeyEncryptionAlgorithm.RSA_OAEP || fromName == KeyEncryptionAlgorithm.RSA1_5) {
            RSAPublicKey publicKey = JwtUtil.getPublicKey(iAuthorizationGrant.getClient().getJwksUri(), (String) null, SignatureAlgorithm.RS256, (String) null);
            if (publicKey == null || !(publicKey instanceof RSAPublicKey)) {
                throw new InvalidJweException("The public key is not valid");
            }
            jwe = new JweEncrypterImpl(fromName, fromName2, publicKey).encrypt(jwe);
        } else if (fromName == KeyEncryptionAlgorithm.A128KW || fromName == KeyEncryptionAlgorithm.A256KW) {
            try {
                jwe = new JweEncrypterImpl(fromName, fromName2, iAuthorizationGrant.getClient().getClientSecret().getBytes("UTF-8")).encrypt(jwe);
            } catch (UnsupportedEncodingException e) {
                throw new InvalidJweException(e);
            } catch (Exception e2) {
                throw new InvalidJweException(e2);
            } catch (StringEncrypter.EncryptionException e3) {
                throw new InvalidJweException(e3);
            }
        }
        return jwe;
    }

    public static IdTokenFactory instance() {
        if ((Contexts.isEventContextActive() || Contexts.isApplicationContextActive()) ? false : true) {
            Lifecycle.beginCall();
        }
        return (IdTokenFactory) Component.getInstance(IdTokenFactory.class);
    }
}
