package org.wso2.identity.outbound.adapter.websubhub.util;

import com.nimbusds.jose.EncryptionMethod;
import com.nimbusds.jose.JOSEException;
import com.nimbusds.jose.JWEAlgorithm;
import com.nimbusds.jose.jwk.JWK;
import com.nimbusds.jose.jwk.JWKSet;
import com.nimbusds.jose.jwk.KeyUse;
import com.nimbusds.jose.jwk.RSAKey;
import com.nimbusds.jose.jwk.source.DefaultJWKSetCache;
import com.nimbusds.jose.util.Base64URL;
import com.nimbusds.jose.util.DefaultResourceRetriever;
import com.nimbusds.jose.util.Resource;
import java.io.IOException;
import java.net.URI;
import java.net.URL;
import java.nio.charset.StandardCharsets;
import java.security.InvalidKeyException;
import java.security.KeyFactory;
import java.security.KeyStore;
import java.security.NoSuchAlgorithmException;
import java.security.PrivateKey;
import java.security.PublicKey;
import java.security.interfaces.RSAPublicKey;
import java.security.spec.InvalidKeySpecException;
import java.security.spec.X509EncodedKeySpec;
import java.util.Base64;
import java.util.Collections;
import java.util.List;
import java.util.Set;
import java.util.concurrent.ConcurrentHashMap;
import java.util.concurrent.ConcurrentMap;
import java.util.concurrent.TimeUnit;
import javax.crypto.BadPaddingException;
import javax.crypto.Cipher;
import javax.crypto.IllegalBlockSizeException;
import javax.crypto.KeyGenerator;
import javax.crypto.NoSuchPaddingException;
import javax.crypto.SecretKey;
import org.apache.commons.lang.StringUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.json.simple.JSONObject;
import org.json.simple.parser.JSONParser;
import org.json.simple.parser.ParseException;
import org.wso2.carbon.identity.event.IdentityEventException;
import org.wso2.identity.outbound.adapter.websubhub.internal.WebSubHubAdapterDataHolder;

/* loaded from: input_file:org/wso2/identity/outbound/adapter/websubhub/util/EventPayloadCryptographyUtils.class */
public class EventPayloadCryptographyUtils {
    private static final Log log = LogFactory.getLog(EventPayloadCryptographyUtils.class);
    private static final ConcurrentMap<String, DefaultJWKSetCache> cacheMap = new ConcurrentHashMap();
    private static final KeyGenerator keyGenerator;

    public static JSONObject encryptEventPayload(String str, String str2) throws IdentityEventException {
        try {
            SecretKey generateKey = keyGenerator.generateKey();
            Cipher cipher = Cipher.getInstance(WebSubHubAdapterConstants.SYMMETRIC_ENCRYPTION_ALGORITHM_WITH_MODE);
            cipher.init(1, generateKey);
            String encodeToString = Base64.getEncoder().encodeToString(cipher.doFinal(str.getBytes(StandardCharsets.UTF_8)));
            PublicKey publicKey = getPublicKey(str2);
            Cipher cipher2 = Cipher.getInstance(WebSubHubAdapterConstants.ASYMMETRIC_ENCRYPTION_ALGORITHM);
            cipher2.init(1, publicKey);
            String encodeToString2 = Base64.getEncoder().encodeToString(cipher2.doFinal(generateKey.getEncoded()));
            JSONObject jSONObject = new JSONObject();
            jSONObject.put(WebSubHubAdapterConstants.ENCRYPTED_PAYLOAD_JSON_KEY, encodeToString);
            jSONObject.put(WebSubHubAdapterConstants.CRYPTO_KEY_JSON_KEY, encodeToString2);
            jSONObject.put(WebSubHubAdapterConstants.IV_PARAMETER_SPEC_JSON_KEY, Base64.getEncoder().encodeToString(cipher.getIV()));
            return jSONObject;
        } catch (JOSEException | InvalidKeyException | NoSuchAlgorithmException | BadPaddingException | IllegalBlockSizeException | NoSuchPaddingException | ParseException e) {
            throw new IdentityEventException("Error while encrypting event payload.", e);
        }
    }

    private static PublicKey getPublicKey(String str) throws ParseException, InvalidKeyException, IdentityEventException, JOSEException {
        try {
            DefaultJWKSetCache jWKCache = getJWKCache(str);
            if (jWKCache.get() != null && !jWKCache.isExpired()) {
                return convertJWKToPublicKey(jWKCache.get());
            }
            synchronized (jWKCache) {
                if (jWKCache.get() != null && !jWKCache.isExpired()) {
                    return convertJWKToPublicKey(jWKCache.get());
                }
                JSONObject jSONObject = (JSONObject) new JSONParser().parse(retrieveKeyFromAPI(str).getContent());
                if (jSONObject.get(WebSubHubAdapterConstants.CRYPTO_KEY_RESPONSE_JSON_KEY) == null) {
                    throw new IdentityEventException("Event encryption public key endpoint has returned an invalid response.");
                }
                RSAPublicKey rSAPublicKey = (RSAPublicKey) KeyFactory.getInstance(WebSubHubAdapterConstants.ASYMMETRIC_ENCRYPTION_ALGORITHM).generatePublic(new X509EncodedKeySpec(Base64.getDecoder().decode(jSONObject.get(WebSubHubAdapterConstants.CRYPTO_KEY_RESPONSE_JSON_KEY).toString())));
                JWKSet jWKSet = new JWKSet(Collections.singletonList(new RSAKey(Base64URL.encode(rSAPublicKey.getModulus()), Base64URL.encode(rSAPublicKey.getPublicExponent()), (Base64URL) null, (Base64URL) null, (Base64URL) null, (Base64URL) null, (Base64URL) null, (Base64URL) null, (List) null, (PrivateKey) null, KeyUse.ENCRYPTION, (Set) null, JWEAlgorithm.RSA_OAEP_256, (String) null, (URI) null, (Base64URL) null, (Base64URL) null, (List) null, (KeyStore) null)));
                jWKCache.put(jWKSet);
                return convertJWKToPublicKey(jWKSet);
            }
        } catch (NoSuchAlgorithmException e) {
            throw new IdentityEventException("Unable to generate RSA public key from the retrieved key due to invalid algorithm.", e);
        } catch (InvalidKeySpecException e2) {
            log.error("Unable to generate RSA public key from the retrieved key due to invalid key spec for tenant : " + str, e2);
            throw new IdentityEventException("Unable to generate RSA public key from the retrieved key due to invalid key spec for tenant " + str, e2);
        }
    }

    private static DefaultJWKSetCache getJWKCache(String str) {
        return cacheMap.computeIfAbsent(str, str2 -> {
            return new DefaultJWKSetCache(WebSubHubAdapterDataHolder.getInstance().getAdapterConfiguration().getEncryptionKeyCacheLifespan(), TimeUnit.MINUTES);
        });
    }

    private static PublicKey convertJWKToPublicKey(JWKSet jWKSet) throws JOSEException, IdentityEventException {
        RSAKey rSAKey = (JWK) jWKSet.getKeys().get(0);
        if (rSAKey instanceof RSAKey) {
            return rSAKey.toPublicKey();
        }
        log.error("Unable to encrypt event as the encryption public key is not in RSA format.");
        throw new IdentityEventException("Event encryption public key is not in RSA format. Unable to encrypt event.");
    }

    private static Resource retrieveKeyFromAPI(String str) throws IdentityEventException {
        DefaultResourceRetriever resourceRetriever = WebSubHubAdapterDataHolder.getInstance().getResourceRetriever();
        String replace = StringUtils.replace(WebSubHubAdapterDataHolder.getInstance().getAdapterConfiguration().getEncryptionKeyEndpointUrl(), WebSubHubAdapterConstants.ENCRYPTION_KEY_ENDPOINT_URL_TENANT_PLACEHOLDER, str);
        if (replace == null) {
            throw new IdentityEventException("Event encryption public key endpoint URL is not configured.");
        }
        try {
            return resourceRetriever.retrieveResource(new URL(replace));
        } catch (IOException e) {
            log.error("Unable to retrieve event encryption public key from " + replace, e);
            throw new IdentityEventException("Unable to retrieve event encryption public key from " + replace, e);
        }
    }

    static {
        try {
            int cekBitLength = EncryptionMethod.A128GCM.cekBitLength();
            keyGenerator = KeyGenerator.getInstance(WebSubHubAdapterConstants.SYMMETRIC_ENCRYPTION_ALGORITHM);
            keyGenerator.init(cekBitLength);
        } catch (NoSuchAlgorithmException e) {
            throw new RuntimeException("Unable to initialize Event Payload Cryptographer.", e);
        }
    }
}
