package com.azure.spring.cloud.autoconfigure.implementation.aad.security;

import com.azure.spring.cloud.autoconfigure.implementation.condition.PropertyCondition;
import com.nimbusds.jose.jwk.JWK;
import com.nimbusds.jose.jwk.RSAKey;
import com.nimbusds.jose.util.Base64URL;
import java.io.FileInputStream;
import java.io.IOException;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.security.PrivateKey;
import java.security.UnrecoverableKeyException;
import java.security.cert.CertificateEncodingException;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.security.interfaces.RSAPublicKey;
import java.util.UUID;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.security.oauth2.client.registration.ClientRegistration;
import org.springframework.security.oauth2.core.ClientAuthenticationMethod;
import org.springframework.util.Assert;

/* loaded from: input_file:com/azure/spring/cloud/autoconfigure/implementation/aad/security/AadOAuth2ClientAuthenticationJwkResolver.class */
public class AadOAuth2ClientAuthenticationJwkResolver implements OAuth2ClientAuthenticationJwkResolver {
    private static final Logger LOGGER = LoggerFactory.getLogger(AadOAuth2ClientAuthenticationJwkResolver.class);
    private final String clientCertificatePath;
    private final String clientCertificatePassword;

    public AadOAuth2ClientAuthenticationJwkResolver(String str, String str2) {
        Assert.notNull(str, "clientCertificatePath cannot be null");
        Assert.notNull(str2, "clientCertificatePassword cannot be null");
        String substring = str.substring(str.lastIndexOf(PropertyCondition.PROPERTY_SUFFIX) + 1);
        Assert.isTrue("pfx".equals(substring) || "p12".equals(substring), "Only files with the '.pfx' or '.p12' extension are supported.");
        this.clientCertificatePath = str;
        this.clientCertificatePassword = str2;
    }

    @Override // com.azure.spring.cloud.autoconfigure.implementation.aad.security.OAuth2ClientAuthenticationJwkResolver
    public JWK resolve(ClientRegistration clientRegistration) {
        if (!ClientAuthenticationMethod.PRIVATE_KEY_JWT.equals(clientRegistration.getClientAuthenticationMethod())) {
            return null;
        }
        try {
            FileInputStream fileInputStream = new FileInputStream(this.clientCertificatePath);
            try {
                KeyStore keyStore = KeyStore.getInstance("PKCS12");
                char[] charArray = this.clientCertificatePassword.toCharArray();
                keyStore.load(fileInputStream, charArray);
                String nextElement = keyStore.aliases().nextElement();
                PrivateKey privateKey = (PrivateKey) keyStore.getKey(nextElement, charArray);
                X509Certificate x509Certificate = (X509Certificate) keyStore.getCertificate(nextElement);
                RSAKey build = new RSAKey.Builder((RSAPublicKey) x509Certificate.getPublicKey()).privateKey(privateKey).x509CertThumbprint(Base64URL.encode(getX5t(x509Certificate))).keyID(UUID.randomUUID().toString()).build();
                fileInputStream.close();
                return build;
            } catch (Throwable th) {
                try {
                    fileInputStream.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
                throw th;
            }
        } catch (IOException | KeyStoreException | NoSuchAlgorithmException | UnrecoverableKeyException | CertificateException e) {
            LOGGER.error("Resolve RSAKey exception.", e);
            return null;
        }
    }

    private byte[] getX5t(X509Certificate x509Certificate) throws NoSuchAlgorithmException, CertificateEncodingException {
        return getSHA1Byte(x509Certificate.getEncoded());
    }

    private byte[] getSHA1Byte(byte[] bArr) throws NoSuchAlgorithmException {
        MessageDigest messageDigest = MessageDigest.getInstance("SHA-1");
        messageDigest.update(bArr);
        return messageDigest.digest();
    }
}
