package org.wso2.carbon.appmgt.gateway.token;

import com.google.gson.Gson;
import java.nio.charset.StandardCharsets;
import java.security.InvalidKeyException;
import java.security.Key;
import java.security.KeyStoreException;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.security.PrivateKey;
import java.security.Signature;
import java.security.SignatureException;
import java.security.cert.Certificate;
import java.security.cert.CertificateEncodingException;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import java.util.concurrent.ConcurrentHashMap;
import org.apache.axiom.util.base64.Base64Utils;
import org.apache.commons.codec.binary.Base64;
import org.apache.commons.codec.binary.StringUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.synapse.MessageContext;
import org.wso2.carbon.appmgt.api.AppManagementException;
import org.wso2.carbon.appmgt.api.model.WebApp;
import org.wso2.carbon.appmgt.gateway.handlers.security.APISecurityConstants;
import org.wso2.carbon.appmgt.impl.service.ServiceReferenceHolder;
import org.wso2.carbon.appmgt.impl.token.ClaimsRetriever;
import org.wso2.carbon.appmgt.impl.token.JWTSignatureAlgorithm;
import org.wso2.carbon.appmgt.impl.utils.AppManagerUtil;
import org.wso2.carbon.core.util.KeyStoreManager;
import org.wso2.carbon.user.api.UserStoreException;
import org.wso2.carbon.user.core.service.RealmService;
import org.wso2.carbon.utils.multitenancy.MultitenantUtils;

/* loaded from: input_file:org/wso2/carbon/appmgt/gateway/token/AbstractJWTGenerator.class */
public abstract class AbstractJWTGenerator implements TokenGenerator {
    protected static final String APP_GATEWAY_ID = "wso2.org/products/appm";
    private static final String SHA256_WITH_RSA = "SHA256withRSA";
    private static final String NONE = "NONE";
    private ClaimsRetriever claimsRetriever;
    private String dialectURI;
    private String signatureAlgorithm;
    private boolean addClaimsSelectively;
    private static final Log log = LogFactory.getLog(AbstractJWTGenerator.class);
    private static volatile long ttl = -1;
    private static long DEFAULT_TTL = 15;
    private static final char[] hexArray = "0123456789ABCDEF".toCharArray();
    private boolean includeClaims = true;
    private boolean enableSigning = true;
    private Map<Integer, Key> privateKeys = new HashMap();
    private Map<Integer, Certificate> publicCertificate = new HashMap();
    private Map<Integer, String> base64EncodedThumbPrintMap = new HashMap();
    private Map<String, Integer> tenantMap = new ConcurrentHashMap();

    public AbstractJWTGenerator() {
        this.dialectURI = "http://wso2.org/claims";
        this.signatureAlgorithm = SHA256_WITH_RSA;
        this.addClaimsSelectively = false;
        String firstProperty = ServiceReferenceHolder.getInstance().getAPIManagerConfigurationService().getAPIManagerConfiguration().getFirstProperty("AppConsumerAuthConfiguration.ClaimsRetrieverImplClass");
        this.dialectURI = ServiceReferenceHolder.getInstance().getAPIManagerConfigurationService().getAPIManagerConfiguration().getFirstProperty("AppConsumerAuthConfiguration.ConsumerDialectURI");
        if (this.dialectURI == null) {
            this.dialectURI = "http://wso2.org/claims";
        }
        if (firstProperty != null) {
            try {
                this.claimsRetriever = (ClaimsRetriever) Class.forName(firstProperty).newInstance();
                this.claimsRetriever.init();
            } catch (AppManagementException e) {
                log.error("Error while initializing " + firstProperty, e);
            } catch (ClassNotFoundException e2) {
                log.error("Cannot find class: " + firstProperty, e2);
            } catch (IllegalAccessException e3) {
                log.error("Illegal access to " + firstProperty, e3);
            } catch (InstantiationException e4) {
                log.error("Error instantiating " + firstProperty, e4);
            }
        }
        this.signatureAlgorithm = ServiceReferenceHolder.getInstance().getAPIManagerConfigurationService().getAPIManagerConfiguration().getFirstProperty("AppConsumerAuthConfiguration.SignatureAlgorithm");
        if (this.signatureAlgorithm == null || (!this.signatureAlgorithm.equals(NONE) && !this.signatureAlgorithm.equals(SHA256_WITH_RSA))) {
            this.signatureAlgorithm = SHA256_WITH_RSA;
        }
        this.addClaimsSelectively = Boolean.parseBoolean(ServiceReferenceHolder.getInstance().getAPIManagerConfigurationService().getAPIManagerConfiguration().getFirstProperty("AppConsumerAuthConfiguration.AddClaimsSelectively"));
    }

    @Override // org.wso2.carbon.appmgt.gateway.token.TokenGenerator
    public String generateToken(Map<String, Object> map, WebApp webApp, MessageContext messageContext) throws AppManagementException {
        String str = (String) map.get(APISecurityConstants.SUBJECT);
        String buildHeader = buildHeader(str);
        String buildBody = buildBody(map);
        String newStringUsAscii = StringUtils.newStringUsAscii(Base64.encodeBase64(buildHeader.getBytes(StandardCharsets.UTF_8)));
        String newStringUsAscii2 = StringUtils.newStringUsAscii(Base64.encodeBase64(buildBody.getBytes(StandardCharsets.UTF_8)));
        if (!this.signatureAlgorithm.equals(SHA256_WITH_RSA)) {
            return newStringUsAscii + "." + newStringUsAscii2 + ".";
        }
        byte[] signJWT = signJWT(newStringUsAscii + "." + newStringUsAscii2, str);
        if (log.isDebugEnabled()) {
            log.debug("signed assertion value : " + new String(signJWT, StandardCharsets.UTF_8));
        }
        return newStringUsAscii + "." + newStringUsAscii2 + "." + StringUtils.newStringUsAscii(Base64.encodeBase64(signJWT));
    }

    public String buildHeader(String str) throws AppManagementException {
        StringBuilder sb = new StringBuilder();
        sb.append("{\"typ\":\"JWT\",");
        sb.append("\"alg\":\"");
        if (NONE.equals(this.signatureAlgorithm)) {
            sb.append(JWTSignatureAlgorithm.NONE.getJwsCompliantCode());
            sb.append("\"");
        } else if (SHA256_WITH_RSA.equals(this.signatureAlgorithm)) {
            sb.append(JWTSignatureAlgorithm.SHA256_WITH_RSA.getJwsCompliantCode());
            sb.append("\",");
            sb.append(addThumbPrintToHeader(str));
        }
        sb.append("}");
        return sb.toString();
    }

    public String buildBody(Map<String, Object> map) throws AppManagementException {
        StringBuilder sb = new StringBuilder();
        if (this.addClaimsSelectively) {
            Map<String, Object> populateStandardClaims = populateStandardClaims(map);
            if (populateStandardClaims != null) {
                sb.append(buildJWTBody(populateStandardClaims));
            }
        } else {
            Map<String, Object> populateCustomClaims = populateCustomClaims(map);
            if (populateCustomClaims != null) {
                sb.append(buildJWTBody(populateCustomClaims));
            }
        }
        return sb.toString();
    }

    private String buildJWTBody(Map<String, Object> map) {
        StringBuilder sb = new StringBuilder();
        sb.append("{");
        if (map != null) {
            for (Map.Entry<String, Object> entry : map.entrySet()) {
                String key = entry.getKey();
                Object value = entry.getValue();
                if ("exp".equals(key) || "nbf".equals(key) || "iat".equals(key)) {
                    sb.append("\"").append(key).append("\":").append(value).append(",");
                } else if (value instanceof List) {
                    sb.append("\"").append(key).append("\":").append(new Gson().toJson(value)).append(",");
                } else {
                    sb.append("\"").append(key).append("\":\"").append(value.toString()).append("\",");
                }
            }
        }
        if (sb.length() > 1) {
            sb.delete(sb.length() - 1, sb.length());
        }
        sb.append("}");
        return sb.toString();
    }

    public abstract Map<String, Object> populateStandardClaims(Map<String, Object> map) throws AppManagementException;

    public abstract Map<String, Object> populateCustomClaims(Map<String, Object> map) throws AppManagementException;

    public ClaimsRetriever getClaimsRetriever() {
        return this.claimsRetriever;
    }

    private byte[] signJWT(String str, String str2) throws AppManagementException {
        int tenantId = getTenantId(str2);
        try {
            Key privateKey = getPrivateKey(str2, tenantId);
            if (privateKey == null) {
                throw new AppManagementException("Private key is null for tenant " + tenantId);
            }
            Signature signature = Signature.getInstance(this.signatureAlgorithm);
            signature.initSign((PrivateKey) privateKey);
            signature.update(str.getBytes(StandardCharsets.UTF_8));
            return signature.sign();
        } catch (InvalidKeyException e) {
            String str3 = "Invalid private key provided for the signature for tenant " + tenantId;
            log.error(str3, e);
            throw new AppManagementException(str3, e);
        } catch (NoSuchAlgorithmException e2) {
            String str4 = "Signature algorithm " + this.signatureAlgorithm + " not found.";
            log.error(str4, e2);
            throw new AppManagementException(str4, e2);
        } catch (SignatureException e3) {
            String str5 = "Error in signature algorithm " + this.signatureAlgorithm;
            log.error(str5, e3);
            throw new AppManagementException(str5, e3);
        } catch (AppManagementException e4) {
            String str6 = "Error in obtaining tenant's " + tenantId + " private key";
            log.error(str6, e4);
            throw new AppManagementException(str6, e4);
        }
    }

    private Key getPrivateKey(String str, int i) throws AppManagementException {
        String tenantDomain = MultitenantUtils.getTenantDomain(str);
        try {
            Key key = this.privateKeys.get(Integer.valueOf(i));
            if (key == null) {
                KeyStoreManager keyStoreManager = getKeyStoreManager(i);
                if (tenantDomain.equals("carbon.super")) {
                    try {
                        key = keyStoreManager.getDefaultPrivateKey();
                    } catch (Exception e) {
                        log.error("Error while obtaining private key for super tenant", e);
                        throw new AppManagementException("Error while obtaining private key for super tenant", e);
                    }
                } else {
                    key = keyStoreManager.getPrivateKey(tenantDomain.trim().replace(".", "-") + ".jks", tenantDomain);
                }
                if (key != null) {
                    this.privateKeys.put(Integer.valueOf(i), key);
                }
            }
            return key;
        } catch (AppManagementException e2) {
            String str2 = "Error in obtaining tenant's " + i + " private key";
            log.error(str2, e2);
            throw new AppManagementException(str2, e2);
        }
    }

    private KeyStoreManager getKeyStoreManager(int i) throws AppManagementException {
        try {
            AppManagerUtil.loadTenantRegistry(i);
            return KeyStoreManager.getInstance(i);
        } catch (AppManagementException e) {
            String str = "Error in obtaining  key store manager for tenant " + i;
            log.error(str, e);
            throw new AppManagementException(str, e);
        }
    }

    private String addThumbPrintToHeader(String str) throws AppManagementException {
        int tenantId = getTenantId(str);
        try {
            StringBuilder sb = new StringBuilder();
            String base64EncodedThumbPrint = getBase64EncodedThumbPrint(str, tenantId);
            if (base64EncodedThumbPrint == null) {
                log.error("Base64 encoded thumb print is null for tenant : " + tenantId);
            }
            sb.append("\"x5t\":\"");
            sb.append(base64EncodedThumbPrint);
            sb.append("\"");
            return sb.toString();
        } catch (AppManagementException e) {
            throw new AppManagementException("Error in adding tenant's " + tenantId + " public certificate", e);
        }
    }

    private String getBase64EncodedThumbPrint(String str, int i) throws AppManagementException {
        try {
            String str2 = this.base64EncodedThumbPrintMap.get(Integer.valueOf(i));
            if (str2 == null) {
                Certificate publicCertificate = getPublicCertificate(str, i);
                if (publicCertificate == null) {
                    throw new AppManagementException("Public certificate is null for tenant " + i);
                }
                MessageDigest messageDigest = MessageDigest.getInstance("SHA-1");
                messageDigest.update(publicCertificate.getEncoded());
                str2 = Base64Utils.encode(bytesToHex(messageDigest.digest()).getBytes(StandardCharsets.UTF_8));
                if (str2 != null) {
                    this.base64EncodedThumbPrintMap.put(Integer.valueOf(i), str2);
                }
            }
            return str2;
        } catch (NoSuchAlgorithmException e) {
            throw new AppManagementException("Signature algorithm " + this.signatureAlgorithm + " not found.", e);
        } catch (CertificateEncodingException e2) {
            throw new AppManagementException("Error in generating public certificate thumbprint for tenant " + i, e2);
        }
    }

    private Certificate getPublicCertificate(String str, int i) throws AppManagementException {
        String tenantDomain = MultitenantUtils.getTenantDomain(str);
        try {
            Certificate certificate = this.publicCertificate.get(Integer.valueOf(i));
            if (certificate == null) {
                KeyStoreManager keyStoreManager = getKeyStoreManager(i);
                if (tenantDomain.equals("carbon.super")) {
                    certificate = keyStoreManager.getDefaultPrimaryCertificate();
                } else {
                    certificate = keyStoreManager.getKeyStore(tenantDomain.trim().replace(".", "-") + ".jks").getCertificate(tenantDomain);
                }
                if (certificate != null) {
                    this.publicCertificate.put(Integer.valueOf(i), certificate);
                }
            }
            return certificate;
        } catch (KeyStoreException e) {
            throw new AppManagementException("Error in obtaining tenant's " + i + " keystore", e);
        } catch (NoSuchAlgorithmException e2) {
            throw new AppManagementException("Signature algorithm " + this.signatureAlgorithm + " not found.", e2);
        } catch (CertificateEncodingException e3) {
            throw new AppManagementException("Error in generating public certificate thumbprint for tenant " + i, e3);
        } catch (Exception e4) {
            throw new AppManagementException("Error in obtaining tenant's " + i + " keystore", e4);
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public long getTTL() {
        if (ttl != -1) {
            return ttl;
        }
        synchronized (AbstractJWTGenerator.class) {
            if (ttl != -1) {
                return ttl;
            }
            String firstProperty = ServiceReferenceHolder.getInstance().getAPIManagerConfigurationService().getAPIManagerConfiguration().getFirstProperty("APIKeyManager.SecurityContextTTL");
            if (firstProperty != null) {
                ttl = Long.parseLong(firstProperty);
            } else {
                ttl = DEFAULT_TTL;
            }
            return ttl;
        }
    }

    protected int getTenantId(String str) throws AppManagementException {
        int tenantId;
        if (this.tenantMap.containsKey(str)) {
            tenantId = this.tenantMap.get(str).intValue();
        } else {
            String tenantDomain = MultitenantUtils.getTenantDomain(str);
            RealmService realmService = ServiceReferenceHolder.getInstance().getRealmService();
            if (realmService == null) {
                tenantId = -1234;
            } else {
                try {
                    tenantId = realmService.getTenantManager().getTenantId(tenantDomain);
                } catch (UserStoreException e) {
                    String str2 = "Error in obtaining tenantId from Domain " + tenantDomain;
                    log.error(str2, e);
                    throw new AppManagementException(str2, e);
                }
            }
            this.tenantMap.put(str, Integer.valueOf(tenantId));
        }
        return tenantId;
    }

    private String bytesToHex(byte[] bArr) {
        char[] cArr = new char[bArr.length * 2];
        for (int i = 0; i < bArr.length; i++) {
            int i2 = bArr[i] & 255;
            cArr[i * 2] = hexArray[i2 >>> 4];
            cArr[(i * 2) + 1] = hexArray[i2 & 15];
        }
        return new String(cArr);
    }
}
