package org.wso2.carbon.identity.oauth2.authcontext;

import com.nimbusds.jose.JOSEException;
import com.nimbusds.jose.JWSAlgorithm;
import com.nimbusds.jose.JWSHeader;
import com.nimbusds.jose.crypto.RSASSASigner;
import com.nimbusds.jose.util.Base64URL;
import com.nimbusds.jwt.JWT;
import com.nimbusds.jwt.JWTClaimsSet;
import com.nimbusds.jwt.PlainJWT;
import com.nimbusds.jwt.SignedJWT;
import java.security.Key;
import java.security.MessageDigest;
import java.security.PrivateKey;
import java.security.cert.Certificate;
import java.security.cert.X509Certificate;
import java.security.interfaces.RSAPrivateKey;
import java.util.ArrayList;
import java.util.Calendar;
import java.util.Date;
import java.util.Iterator;
import java.util.Map;
import java.util.SortedMap;
import java.util.StringTokenizer;
import java.util.TreeSet;
import java.util.concurrent.ConcurrentHashMap;
import org.apache.commons.codec.binary.Base64;
import org.apache.commons.io.Charsets;
import org.apache.commons.lang.StringUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.wso2.carbon.core.util.KeyStoreManager;
import org.wso2.carbon.identity.base.IdentityException;
import org.wso2.carbon.identity.core.util.IdentityTenantUtil;
import org.wso2.carbon.identity.core.util.IdentityUtil;
import org.wso2.carbon.identity.oauth.common.exception.InvalidOAuthClientException;
import org.wso2.carbon.identity.oauth.config.OAuthServerConfiguration;
import org.wso2.carbon.identity.oauth.dao.OAuthAppDAO;
import org.wso2.carbon.identity.oauth.dao.OAuthAppDO;
import org.wso2.carbon.identity.oauth.internal.OAuthComponentServiceHolder;
import org.wso2.carbon.identity.oauth.util.ClaimCache;
import org.wso2.carbon.identity.oauth.util.ClaimCacheKey;
import org.wso2.carbon.identity.oauth.util.UserClaims;
import org.wso2.carbon.identity.oauth2.IdentityOAuth2Exception;
import org.wso2.carbon.identity.oauth2.dto.OAuth2TokenValidationResponseDTO;
import org.wso2.carbon.identity.oauth2.model.AccessTokenDO;
import org.wso2.carbon.identity.oauth2.util.OAuth2Util;
import org.wso2.carbon.identity.oauth2.validators.OAuth2TokenValidationMessageContext;
import org.wso2.carbon.user.api.RealmConfiguration;
import org.wso2.carbon.user.api.UserRealm;
import org.wso2.carbon.user.api.UserStoreException;
import org.wso2.carbon.user.core.service.RealmService;
import org.wso2.carbon.utils.multitenancy.MultitenantUtils;

/* loaded from: input_file:org/wso2/carbon/identity/oauth2/authcontext/JWTTokenGenerator.class */
public class JWTTokenGenerator implements AuthorizationContextTokenGenerator {
    private static final String API_GATEWAY_ID = "http://wso2.org/gateway";
    private static final String NONE = "NONE";
    private ClaimsRetriever claimsRetriever;
    private JWSAlgorithm signatureAlgorithm;
    private boolean includeClaims;
    private boolean enableSigning;
    private ClaimCache claimsLocalCache;
    private String userAttributeSeparator;
    private boolean useMultiValueSeparator;
    private static final Log log = LogFactory.getLog(JWTTokenGenerator.class);
    private static volatile long ttl = -1;
    private static Map<Integer, Key> privateKeys = new ConcurrentHashMap();
    private static Map<Integer, Certificate> publicCerts = new ConcurrentHashMap();

    public JWTTokenGenerator() {
        this.signatureAlgorithm = new JWSAlgorithm(JWSAlgorithm.RS256.getName());
        this.includeClaims = true;
        this.enableSigning = true;
        this.userAttributeSeparator = ",,,";
        this.useMultiValueSeparator = true;
        this.claimsLocalCache = ClaimCache.getInstance();
    }

    public JWTTokenGenerator(boolean z, boolean z2) {
        this.signatureAlgorithm = new JWSAlgorithm(JWSAlgorithm.RS256.getName());
        this.includeClaims = true;
        this.enableSigning = true;
        this.userAttributeSeparator = ",,,";
        this.useMultiValueSeparator = true;
        this.includeClaims = z;
        this.enableSigning = z2;
        this.signatureAlgorithm = new JWSAlgorithm(JWSAlgorithm.NONE.getName());
    }

    @Override // org.wso2.carbon.identity.oauth2.authcontext.AuthorizationContextTokenGenerator
    public void init() throws IdentityOAuth2Exception {
        if (this.includeClaims && this.enableSigning) {
            String claimsRetrieverImplClass = OAuthServerConfiguration.getInstance().getClaimsRetrieverImplClass();
            String signatureAlgorithm = OAuthServerConfiguration.getInstance().getSignatureAlgorithm();
            if (signatureAlgorithm != null && !signatureAlgorithm.trim().isEmpty()) {
                this.signatureAlgorithm = mapSignatureAlgorithm(signatureAlgorithm);
            }
            this.useMultiValueSeparator = OAuthServerConfiguration.getInstance().isUseMultiValueSeparatorForAuthContextToken();
            if (claimsRetrieverImplClass != null) {
                try {
                    this.claimsRetriever = (ClaimsRetriever) Class.forName(claimsRetrieverImplClass).newInstance();
                    this.claimsRetriever.init();
                } catch (ClassNotFoundException e) {
                    log.error("Cannot find class: " + claimsRetrieverImplClass, e);
                } catch (IllegalAccessException e2) {
                    log.error("Illegal access to " + claimsRetrieverImplClass, e2);
                } catch (InstantiationException e3) {
                    log.error("Error instantiating " + claimsRetrieverImplClass, e3);
                } catch (IdentityOAuth2Exception e4) {
                    log.error("Error while initializing " + claimsRetrieverImplClass, e4);
                }
            }
        }
    }

    /* JADX WARN: Multi-variable type inference failed */
    /* JADX WARN: Type inference failed for: r19v0, types: [java.lang.Throwable, org.wso2.carbon.identity.oauth2.IdentityOAuth2Exception] */
    /* JADX WARN: Type inference failed for: r19v1, types: [org.wso2.carbon.identity.oauth.common.exception.InvalidOAuthClientException, java.lang.Throwable] */
    @Override // org.wso2.carbon.identity.oauth2.authcontext.AuthorizationContextTokenGenerator
    public void generateToken(OAuth2TokenValidationMessageContext oAuth2TokenValidationMessageContext) throws IdentityOAuth2Exception {
        JWT plainJWT;
        String consumerKey = ((AccessTokenDO) oAuth2TokenValidationMessageContext.getProperty("AccessTokenDO")).getConsumerKey();
        long time = ((AccessTokenDO) oAuth2TokenValidationMessageContext.getProperty("AccessTokenDO")).getIssuedTime().getTime();
        String authorizedUser = oAuth2TokenValidationMessageContext.getResponseDTO().getAuthorizedUser();
        int tenantID = ((AccessTokenDO) oAuth2TokenValidationMessageContext.getProperty("AccessTokenDO")).getTenantID();
        String tenantDomain = OAuth2Util.getTenantDomain(tenantID);
        boolean z = false;
        RealmService realmService = OAuthComponentServiceHolder.getInstance().getRealmService();
        if (realmService != null && tenantID != -1) {
            try {
                UserRealm tenantUserRealm = realmService.getTenantUserRealm(tenantID);
                if (tenantUserRealm != null) {
                    z = tenantUserRealm.getUserStoreManager().isExistingUser(MultitenantUtils.getTenantAwareUsername(authorizedUser));
                }
            } catch (UserStoreException e) {
                log.error("Error occurred while loading the realm service", e);
            }
        }
        try {
            OAuthAppDO appInformation = new OAuthAppDAO().getAppInformation(consumerKey);
            oAuth2TokenValidationMessageContext.addProperty("OAuthAppDO", appInformation);
            String authenticatedUser = appInformation.getUser().toString();
            String applicationName = appInformation.getApplicationName();
            long timeInMillis = Calendar.getInstance().getTimeInMillis() + (60000 * getTTL());
            JWTClaimsSet jWTClaimsSet = new JWTClaimsSet();
            jWTClaimsSet.setIssuer(API_GATEWAY_ID);
            jWTClaimsSet.setSubject(authorizedUser);
            jWTClaimsSet.setIssueTime(new Date(time));
            jWTClaimsSet.setExpirationTime(new Date(timeInMillis));
            jWTClaimsSet.setClaim("http://wso2.org/gateway/subscriber", authenticatedUser);
            jWTClaimsSet.setClaim("http://wso2.org/gateway/applicationname", applicationName);
            jWTClaimsSet.setClaim("http://wso2.org/gateway/enduser", authorizedUser);
            if (this.claimsRetriever != null) {
                String[] requiredClaimURIs = oAuth2TokenValidationMessageContext.getRequestDTO().getRequiredClaimURIs();
                if (requiredClaimURIs == null && z) {
                    requiredClaimURIs = this.claimsRetriever.getDefaultClaims(authorizedUser);
                }
                ClaimCacheKey claimCacheKey = null;
                UserClaims userClaims = null;
                if (requiredClaimURIs != null) {
                    claimCacheKey = new ClaimCacheKey(authorizedUser, requiredClaimURIs);
                    userClaims = (UserClaims) this.claimsLocalCache.getValueFromCache(claimCacheKey);
                }
                SortedMap<String, String> sortedMap = null;
                if (userClaims != null) {
                    sortedMap = userClaims.getClaimValues();
                } else if (z) {
                    sortedMap = this.claimsRetriever.getClaims(authorizedUser, requiredClaimURIs);
                    this.claimsLocalCache.addToCache(claimCacheKey, new UserClaims(sortedMap));
                }
                if (z) {
                    String multiAttributeSeparator = getMultiAttributeSeparator(authorizedUser, tenantID);
                    if (StringUtils.isNotBlank(multiAttributeSeparator)) {
                        this.userAttributeSeparator = multiAttributeSeparator;
                    }
                }
                if (sortedMap != null) {
                    Iterator it = new TreeSet(sortedMap.keySet()).iterator();
                    while (it.hasNext()) {
                        String str = (String) it.next();
                        String str2 = sortedMap.get(str);
                        ArrayList arrayList = new ArrayList();
                        if (this.useMultiValueSeparator && this.userAttributeSeparator != null && str2.contains(this.userAttributeSeparator)) {
                            StringTokenizer stringTokenizer = new StringTokenizer(str2, this.userAttributeSeparator);
                            while (stringTokenizer.hasMoreElements()) {
                                String obj = stringTokenizer.nextElement().toString();
                                if (StringUtils.isNotBlank(obj)) {
                                    arrayList.add(obj);
                                }
                            }
                            jWTClaimsSet.setClaim(str, arrayList.toArray(new String[arrayList.size()]));
                        } else {
                            jWTClaimsSet.setClaim(str, str2);
                        }
                    }
                }
            }
            if (JWSAlgorithm.NONE.equals(this.signatureAlgorithm)) {
                plainJWT = new PlainJWT(jWTClaimsSet);
            } else {
                JWSHeader jWSHeader = new JWSHeader(JWSAlgorithm.RS256);
                jWSHeader.setX509CertThumbprint(new Base64URL(getThumbPrint(tenantDomain, tenantID)));
                plainJWT = signJWT(new SignedJWT(jWSHeader, jWTClaimsSet), tenantDomain, tenantID);
            }
            if (log.isDebugEnabled()) {
                log.debug("JWT Assertion Value : " + plainJWT.serialize());
            }
            OAuth2TokenValidationResponseDTO responseDTO = oAuth2TokenValidationMessageContext.getResponseDTO();
            responseDTO.getClass();
            oAuth2TokenValidationMessageContext.getResponseDTO().setAuthorizationContextToken(new OAuth2TokenValidationResponseDTO.AuthorizationContextToken("JWT", plainJWT.serialize()));
        } catch (InvalidOAuthClientException e2) {
            log.debug(e2.getMessage(), e2);
            throw new IdentityOAuth2Exception(e2.getMessage());
        } catch (IdentityOAuth2Exception e3) {
            log.debug(e3.getMessage(), e3);
            throw new IdentityOAuth2Exception(e3.getMessage());
        }
    }

    protected SignedJWT signJWTWithRSA(SignedJWT signedJWT, JWSAlgorithm jWSAlgorithm, String str, int i) throws IdentityOAuth2Exception {
        try {
            signedJWT.sign(new RSASSASigner((RSAPrivateKey) getPrivateKey(str, i)));
            return signedJWT;
        } catch (JOSEException e) {
            log.error("Error in obtaining tenant's keystore", e);
            throw new IdentityOAuth2Exception("Error in obtaining tenant's keystore", e);
        } catch (Exception e2) {
            log.error("Error in obtaining tenant's keystore", e2);
            throw new IdentityOAuth2Exception("Error in obtaining tenant's keystore", e2);
        }
    }

    protected JWT signJWT(SignedJWT signedJWT, String str, int i) throws IdentityOAuth2Exception {
        if (JWSAlgorithm.RS256.equals(this.signatureAlgorithm) || JWSAlgorithm.RS384.equals(this.signatureAlgorithm) || JWSAlgorithm.RS512.equals(this.signatureAlgorithm)) {
            return signJWTWithRSA(signedJWT, this.signatureAlgorithm, str, i);
        }
        if (JWSAlgorithm.HS256.equals(this.signatureAlgorithm) || JWSAlgorithm.HS384.equals(this.signatureAlgorithm) || JWSAlgorithm.HS512.equals(this.signatureAlgorithm) || JWSAlgorithm.ES256.equals(this.signatureAlgorithm) || JWSAlgorithm.ES384.equals(this.signatureAlgorithm) || JWSAlgorithm.ES512.equals(this.signatureAlgorithm)) {
        }
        log.error("UnSupported Signature Algorithm");
        throw new IdentityOAuth2Exception("UnSupported Signature Algorithm");
    }

    protected JWSAlgorithm mapSignatureAlgorithm(String str) throws IdentityOAuth2Exception {
        if ("SHA256withRSA".equals(str)) {
            return JWSAlgorithm.RS256;
        }
        if ("SHA384withRSA".equals(str)) {
            return JWSAlgorithm.RS384;
        }
        if ("SHA512withRSA".equals(str)) {
            return JWSAlgorithm.RS512;
        }
        if ("SHA256withHMAC".equals(str)) {
            return JWSAlgorithm.HS256;
        }
        if ("SHA384withHMAC".equals(str)) {
            return JWSAlgorithm.HS384;
        }
        if ("SHA512withHMAC".equals(str)) {
            return JWSAlgorithm.HS512;
        }
        if ("SHA256withEC".equals(str)) {
            return JWSAlgorithm.ES256;
        }
        if ("SHA384withEC".equals(str)) {
            return JWSAlgorithm.ES384;
        }
        if ("SHA512withEC".equals(str)) {
            return JWSAlgorithm.ES512;
        }
        if (NONE.equals(str)) {
            return new JWSAlgorithm(JWSAlgorithm.NONE.getName());
        }
        log.error("Unsupported Signature Algorithm in identity.xml");
        throw new IdentityOAuth2Exception("Unsupported Signature Algorithm in identity.xml");
    }

    private long getTTL() {
        if (ttl != -1) {
            return ttl;
        }
        synchronized (JWTTokenGenerator.class) {
            if (ttl != -1) {
                return ttl;
            }
            String authorizationContextTTL = OAuthServerConfiguration.getInstance().getAuthorizationContextTTL();
            if (authorizationContextTTL != null) {
                ttl = Long.parseLong(authorizationContextTTL);
            } else {
                ttl = 15L;
            }
            return ttl;
        }
    }

    private String getThumbPrint(String str, int i) throws IdentityOAuth2Exception {
        try {
            Certificate certificate = getCertificate(str, i);
            MessageDigest messageDigest = MessageDigest.getInstance("SHA-1");
            messageDigest.update(certificate.getEncoded());
            return new String(new Base64(0, null, true).encode(hexify(messageDigest.digest()).getBytes(Charsets.UTF_8)), Charsets.UTF_8);
        } catch (Exception e) {
            throw new IdentityOAuth2Exception("Error in obtaining certificate for tenant " + str, e);
        }
    }

    /* JADX WARN: Multi-variable type inference failed */
    /* JADX WARN: Type inference failed for: r0v25, types: [java.security.Key] */
    /* JADX WARN: Type inference failed for: r0v29, types: [java.security.Key] */
    private Key getPrivateKey(String str, int i) throws IdentityOAuth2Exception {
        if (str == null) {
            str = "carbon.super";
        }
        if (i == 0) {
            i = OAuth2Util.getTenantId(str);
        }
        PrivateKey privateKey = null;
        if (privateKeys.containsKey(Integer.valueOf(i))) {
            privateKey = privateKeys.get(Integer.valueOf(i));
        } else {
            try {
                IdentityTenantUtil.initializeRegistry(i, str);
                KeyStoreManager keyStoreManager = KeyStoreManager.getInstance(i);
                if (str.equals("carbon.super")) {
                    try {
                        privateKey = keyStoreManager.getDefaultPrivateKey();
                    } catch (Exception e) {
                        log.error("Error while obtaining private key for super tenant", e);
                    }
                } else {
                    privateKey = keyStoreManager.getPrivateKey(str.trim().replace(".", "-") + ".jks", str);
                }
                if (privateKey != null) {
                    privateKeys.put(Integer.valueOf(i), privateKey);
                }
            } catch (IdentityException e2) {
                throw new IdentityOAuth2Exception("Error occurred while loading registry for tenant " + str, e2);
            }
        }
        return privateKey;
    }

    /* JADX WARN: Multi-variable type inference failed */
    /* JADX WARN: Type inference failed for: r0v27, types: [java.security.cert.Certificate] */
    /* JADX WARN: Type inference failed for: r0v31, types: [java.security.cert.Certificate] */
    private Certificate getCertificate(String str, int i) throws Exception {
        X509Certificate defaultPrimaryCertificate;
        if (str == null) {
            str = "carbon.super";
        }
        if (i == 0) {
            i = OAuth2Util.getTenantId(str);
        }
        if (publicCerts.containsKey(Integer.valueOf(i))) {
            defaultPrimaryCertificate = publicCerts.get(Integer.valueOf(i));
        } else {
            try {
                IdentityTenantUtil.initializeRegistry(i, str);
                KeyStoreManager keyStoreManager = KeyStoreManager.getInstance(i);
                if (str.equals("carbon.super")) {
                    defaultPrimaryCertificate = keyStoreManager.getDefaultPrimaryCertificate();
                } else {
                    defaultPrimaryCertificate = keyStoreManager.getKeyStore(str.trim().replace(".", "-") + ".jks").getCertificate(str);
                }
                if (defaultPrimaryCertificate != null) {
                    publicCerts.put(Integer.valueOf(i), defaultPrimaryCertificate);
                }
            } catch (IdentityException e) {
                throw new IdentityOAuth2Exception("Error occurred while loading registry for tenant " + str, e);
            }
        }
        return defaultPrimaryCertificate;
    }

    private String hexify(byte[] bArr) {
        char[] cArr = {'0', '1', '2', '3', '4', '5', '6', '7', '8', '9', 'a', 'b', 'c', 'd', 'e', 'f'};
        StringBuilder sb = new StringBuilder(bArr.length * 2);
        for (int i = 0; i < bArr.length; i++) {
            sb.append(cArr[(bArr[i] & 240) >> 4]);
            sb.append(cArr[bArr[i] & 15]);
        }
        return sb.toString();
    }

    private String getMultiAttributeSeparator(String str, int i) {
        String userStoreProperty;
        String extractDomainFromName = IdentityUtil.extractDomainFromName(str);
        try {
            RealmConfiguration realmConfiguration = null;
            RealmService realmService = OAuthComponentServiceHolder.getInstance().getRealmService();
            if (realmService != null && i != -1) {
                realmConfiguration = realmService.getTenantUserRealm(i).getUserStoreManager().getSecondaryUserStoreManager(extractDomainFromName).getRealmConfiguration();
            }
            if (realmConfiguration == null || (userStoreProperty = realmConfiguration.getUserStoreProperty("MultiAttributeSeparator")) == null) {
                return null;
            }
            if (userStoreProperty.trim().isEmpty()) {
                return null;
            }
            return userStoreProperty;
        } catch (UserStoreException e) {
            log.error("Error occurred while getting the realm configuration, User store properties might not be returned", e);
            return null;
        }
    }
}
