package org.wso2.carbon.identity.openidconnect;

import com.nimbusds.jose.JWSAlgorithm;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.util.HashMap;
import java.util.Map;
import org.apache.commons.codec.binary.Base64;
import org.apache.commons.io.Charsets;
import org.apache.commons.lang.StringUtils;
import org.apache.oltu.oauth2.common.message.types.ResponseType;
import org.wso2.carbon.identity.oauth.config.OAuthServerConfiguration;
import org.wso2.carbon.identity.oauth2.IdentityOAuth2Exception;
import org.wso2.carbon.identity.oauth2.authz.OAuthAuthzReqMessageContext;
import org.wso2.carbon.identity.oauth2.dto.OAuth2AccessTokenRespDTO;
import org.wso2.carbon.identity.oauth2.dto.OAuth2AuthorizeRespDTO;
import org.wso2.carbon.identity.oauth2.token.OAuthTokenReqMessageContext;
import org.wso2.carbon.identity.oauth2.util.OAuth2Util;

/* loaded from: input_file:org/wso2/carbon/identity/openidconnect/OpenIDConnectSystemClaimImpl.class */
public class OpenIDConnectSystemClaimImpl implements ClaimProvider {
    private static final String SHA384 = "SHA-384";
    private static final String SHA512 = "SHA-512";
    private JWSAlgorithm signatureAlgorithm = null;

    @Override // org.wso2.carbon.identity.openidconnect.ClaimProvider
    public Map<String, Object> getAdditionalClaims(OAuthAuthzReqMessageContext oAuthAuthzReqMessageContext, OAuth2AuthorizeRespDTO oAuth2AuthorizeRespDTO) throws IdentityOAuth2Exception {
        setSignatureAlgorithm();
        HashMap hashMap = new HashMap();
        String responseType = oAuthAuthzReqMessageContext.getAuthorizationReqDTO().getResponseType();
        String authorizationCode = oAuth2AuthorizeRespDTO.getAuthorizationCode();
        String accessToken = oAuth2AuthorizeRespDTO.getAccessToken();
        if (isIDTokenSigned() && isAccessTokenHashApplicable(responseType) && StringUtils.isNotBlank(accessToken)) {
            hashMap.put("at_hash", getHashValue(accessToken));
        }
        if (isIDTokenSigned() && isCodeHashApplicable(responseType) && StringUtils.isNotBlank(authorizationCode)) {
            hashMap.put("c_hash", getHashValue(authorizationCode));
        }
        return hashMap;
    }

    @Override // org.wso2.carbon.identity.openidconnect.ClaimProvider
    public Map<String, Object> getAdditionalClaims(OAuthTokenReqMessageContext oAuthTokenReqMessageContext, OAuth2AccessTokenRespDTO oAuth2AccessTokenRespDTO) throws IdentityOAuth2Exception {
        setSignatureAlgorithm();
        HashMap hashMap = new HashMap();
        String authorizationCode = oAuthTokenReqMessageContext.getOauth2AccessTokenReqDTO().getAuthorizationCode();
        String accessToken = oAuth2AccessTokenRespDTO.getAccessToken();
        if (isIDTokenSigned() && StringUtils.isNotBlank(accessToken)) {
            hashMap.put("at_hash", getHashValue(accessToken));
        }
        if (isIDTokenSigned() && StringUtils.isNotBlank(authorizationCode)) {
            hashMap.put("c_hash", getHashValue(authorizationCode));
        }
        return hashMap;
    }

    private void setSignatureAlgorithm() throws IdentityOAuth2Exception {
        this.signatureAlgorithm = OAuth2Util.mapSignatureAlgorithmForJWSAlgorithm(OAuthServerConfiguration.getInstance().getIdTokenSignatureAlgorithm());
    }

    private boolean isIDTokenSigned() {
        return !JWSAlgorithm.NONE.getName().equals(this.signatureAlgorithm.getName());
    }

    private String getHashValue(String str) throws IdentityOAuth2Exception {
        String mapDigestAlgorithm = OAuth2Util.mapDigestAlgorithm(this.signatureAlgorithm);
        try {
            MessageDigest messageDigest = MessageDigest.getInstance(mapDigestAlgorithm);
            messageDigest.update(str.getBytes(Charsets.UTF_8));
            byte[] digest = messageDigest.digest();
            int i = 16;
            if (SHA384.equals(mapDigestAlgorithm)) {
                i = 24;
            } else if (SHA512.equals(mapDigestAlgorithm)) {
                i = 32;
            }
            byte[] bArr = new byte[i];
            System.arraycopy(digest, 0, bArr, 0, i);
            return new String(Base64.encodeBase64URLSafe(bArr), Charsets.UTF_8);
        } catch (NoSuchAlgorithmException e) {
            throw new IdentityOAuth2Exception("Error creating the hash value. Invalid Digest Algorithm: " + mapDigestAlgorithm);
        }
    }

    private boolean isCodeHashApplicable(String str) {
        return str.contains(ResponseType.CODE.toString()) && !"none".equalsIgnoreCase(str);
    }

    private boolean isAccessTokenHashApplicable(String str) {
        return (OIDCConstants.ID_TOKEN.equalsIgnoreCase(str) || "none".equalsIgnoreCase(str)) ? false : true;
    }
}
