package org.apereo.cas.ticket;

import java.nio.charset.StandardCharsets;
import java.security.Key;
import java.util.HashMap;
import java.util.Optional;
import lombok.Generated;
import org.apache.commons.lang3.StringUtils;
import org.apereo.cas.support.oauth.services.OAuthRegisteredService;
import org.apereo.cas.util.EncodingUtils;
import org.jose4j.jwk.PublicJsonWebKey;
import org.jose4j.jwt.JwtClaims;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apereo/cas/ticket/BaseTokenSigningAndEncryptionService.class */
public abstract class BaseTokenSigningAndEncryptionService implements OAuth20TokenSigningAndEncryptionService {

    @Generated
    private static final Logger LOGGER = LoggerFactory.getLogger(BaseTokenSigningAndEncryptionService.class);
    private final String issuer;

    protected String encryptToken(String str, String str2, String str3, Key key, String str4) {
        return EncodingUtils.encryptValueAsJwt(key, str4, str, str2, str3, new HashMap());
    }

    protected String signToken(OAuthRegisteredService oAuthRegisteredService, JwtClaims jwtClaims, PublicJsonWebKey publicJsonWebKey) {
        LOGGER.debug("Service [{}] is set to sign id tokens", oAuthRegisteredService);
        return EncodingUtils.signJws(jwtClaims, publicJsonWebKey, getJsonWebKeySigningAlgorithm(oAuthRegisteredService), new HashMap());
    }

    @Override // org.apereo.cas.ticket.OAuth20TokenSigningAndEncryptionService
    public JwtClaims decode(String str, Optional<OAuthRegisteredService> optional) {
        PublicJsonWebKey jsonWebKeySigningKey = getJsonWebKeySigningKey();
        if (jsonWebKeySigningKey.getPublicKey() == null) {
            throw new IllegalArgumentException("JSON web key used to validate the id token signature has no associated public key");
        }
        byte[] verifyJwsSignature = EncodingUtils.verifyJwsSignature(jsonWebKeySigningKey.getPublicKey(), str);
        if (verifyJwsSignature == null) {
            throw new IllegalArgumentException("Unable to verify signature of the token using the JSON web key public key");
        }
        JwtClaims parse = JwtClaims.parse(new String(verifyJwsSignature, StandardCharsets.UTF_8));
        if (StringUtils.isBlank(parse.getIssuer())) {
            throw new IllegalArgumentException("Claims do not container an issuer");
        }
        LOGGER.debug("Validating claims as [{}] with issuer [{}]", parse, parse.getIssuer());
        if (!parse.getIssuer().equalsIgnoreCase(this.issuer)) {
            throw new IllegalArgumentException("Issuer assigned to claims " + parse.getIssuer() + " does not match " + this.issuer);
        }
        if (StringUtils.isBlank(parse.getStringClaimValue("client_id"))) {
            throw new IllegalArgumentException("Claims do not contain a client id claim");
        }
        return parse;
    }

    protected abstract PublicJsonWebKey getJsonWebKeySigningKey();

    @Generated
    public BaseTokenSigningAndEncryptionService(String str) {
        this.issuer = str;
    }

    @Override // org.apereo.cas.ticket.OAuth20TokenSigningAndEncryptionService
    @Generated
    public String getIssuer() {
        return this.issuer;
    }
}
