package org.wso2.carbon.auth.oauth.impl;

import com.nimbusds.jose.Algorithm;
import com.nimbusds.jose.JOSEException;
import com.nimbusds.jose.JWSAlgorithm;
import com.nimbusds.jose.JWSHeader;
import com.nimbusds.jose.crypto.RSASSASigner;
import com.nimbusds.jose.util.Base64URL;
import com.nimbusds.jwt.JWTClaimsSet;
import com.nimbusds.jwt.PlainJWT;
import com.nimbusds.jwt.SignedJWT;
import com.nimbusds.oauth2.sdk.OAuth2Error;
import com.nimbusds.oauth2.sdk.Scope;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.security.cert.Certificate;
import java.security.cert.CertificateEncodingException;
import java.util.Calendar;
import java.util.Collections;
import java.util.Date;
import java.util.UUID;
import org.apache.commons.codec.binary.Base64;
import org.apache.commons.io.Charsets;
import org.apache.commons.lang3.StringUtils;
import org.wso2.carbon.auth.core.exception.AuthException;
import org.wso2.carbon.auth.oauth.OAuthConstants;
import org.wso2.carbon.auth.oauth.dto.AccessTokenContext;
import org.wso2.carbon.auth.oauth.internal.ServiceReferenceHolder;

/* loaded from: input_file:org/wso2/carbon/auth/oauth/impl/JWTTokenGenerator.class */
public class JWTTokenGenerator extends DefaultTokenGenerator {
    private static final String AUTHORIZATION_PARTY = "azp";
    private static final String SCOPE = "scope";
    private static final String NONE = "NONE";
    private static final String SHA256_WITH_RSA = "SHA256withRSA";
    private static final String SHA384_WITH_RSA = "SHA384withRSA";
    private static final String SHA512_WITH_RSA = "SHA512withRSA";
    private static final String SHA256_WITH_HMAC = "SHA256withHMAC";
    private static final String SHA384_WITH_HMAC = "SHA384withHMAC";
    private static final String SHA512_WITH_HMAC = "SHA512withHMAC";
    private static final String SHA256_WITH_EC = "SHA256withEC";
    private static final String SHA384_WITH_EC = "SHA384withEC";
    private static final String SHA512_WITH_EC = "SHA512withEC";
    private Algorithm signatureAlgorithm = mapSignatureAlgorithm(ServiceReferenceHolder.getInstance().getAuthConfigurations().getSignatureAlgorithm());

    @Override // org.wso2.carbon.auth.oauth.impl.DefaultTokenGenerator, org.wso2.carbon.auth.oauth.TokenGenerator
    public void generateAccessToken(AccessTokenContext accessTokenContext) {
        JWTClaimsSet jWTClaimSet = getJWTClaimSet(accessTokenContext);
        if (JWSAlgorithm.NONE.getName().equals(this.signatureAlgorithm.getName())) {
            String serialize = new PlainJWT(jWTClaimSet).serialize();
            accessTokenContext.getParams().put(OAuthConstants.TOKEN_ALIAS, jWTClaimSet.getJWTID());
            accessTokenContext.getParams().put(OAuthConstants.TOKEN, serialize);
            super.generateAccessToken(accessTokenContext);
            return;
        }
        try {
            String signJwt = signJwt(jWTClaimSet);
            accessTokenContext.getParams().put(OAuthConstants.TOKEN_ALIAS, jWTClaimSet.getJWTID());
            accessTokenContext.getParams().put(OAuthConstants.TOKEN, signJwt);
            super.generateAccessToken(accessTokenContext);
        } catch (AuthException e) {
            accessTokenContext.setSuccessful(false);
            accessTokenContext.setErrorObject(OAuth2Error.SERVER_ERROR);
        }
    }

    @Override // org.wso2.carbon.auth.oauth.TokenGenerator
    public boolean renewAccessTokenPerRequest() {
        return true;
    }

    private String signJwt(JWTClaimsSet jWTClaimsSet) throws AuthException {
        if (!JWSAlgorithm.RS256.equals(this.signatureAlgorithm) && !JWSAlgorithm.RS384.equals(this.signatureAlgorithm) && !JWSAlgorithm.RS512.equals(this.signatureAlgorithm)) {
            throw new AuthException("Invalid signature algorithm provided. " + this.signatureAlgorithm);
        }
        try {
            RSASSASigner rSASSASigner = new RSASSASigner(ServiceReferenceHolder.getInstance().getPrivateKey());
            if (!(this.signatureAlgorithm instanceof JWSAlgorithm)) {
                throw new AuthException("Signature Algorithm couldn't convert to JWSAlgorithm");
            }
            JWSHeader.Builder builder = new JWSHeader.Builder(this.signatureAlgorithm);
            String thumbPrint = getThumbPrint(ServiceReferenceHolder.getInstance().getPublicKey());
            builder.keyID(thumbPrint);
            builder.x509CertThumbprint(new Base64URL(thumbPrint));
            SignedJWT signedJWT = new SignedJWT(builder.build(), jWTClaimsSet);
            signedJWT.sign(rSASSASigner);
            return signedJWT.serialize();
        } catch (NoSuchAlgorithmException | CertificateEncodingException | JOSEException e) {
            throw new AuthException("Invalid signature algorithm provided. " + this.signatureAlgorithm);
        }
    }

    private JWTClaimsSet getJWTClaimSet(AccessTokenContext accessTokenContext) {
        Scope scope = (Scope) accessTokenContext.getParams().get(OAuthConstants.SCOPES);
        long longValue = ((Long) accessTokenContext.getParams().get("validity_period")).longValue();
        long timeInMillis = Calendar.getInstance().getTimeInMillis();
        String str = (String) accessTokenContext.getParams().get(OAuthConstants.AUTH_USER);
        String str2 = (String) accessTokenContext.getParams().get(OAuthConstants.CLIENT_ID);
        String tokenIssuer = ServiceReferenceHolder.getInstance().getAuthConfigurations().getTokenIssuer();
        JWTClaimsSet.Builder builder = new JWTClaimsSet.Builder();
        builder.issuer(tokenIssuer);
        builder.subject(str);
        builder.claim(AUTHORIZATION_PARTY, str2);
        builder.issueTime(new Date(timeInMillis));
        builder.jwtID(UUID.randomUUID().toString());
        builder.notBeforeTime(new Date(timeInMillis));
        builder.claim("scope", scope.toString());
        if (longValue < 0) {
            builder.expirationTime(new Date(Long.MAX_VALUE));
        } else {
            builder.expirationTime(new Date(timeInMillis + (longValue * 1000)));
        }
        builder.audience(Collections.singletonList(str2));
        return builder.build();
    }

    protected JWSAlgorithm mapSignatureAlgorithm(String str) throws AuthException {
        if (StringUtils.isNotBlank(str)) {
            boolean z = -1;
            switch (str.hashCode()) {
                case -1769322313:
                    if (str.equals(SHA512_WITH_HMAC)) {
                        z = 6;
                        break;
                    }
                    break;
                case -794853417:
                    if (str.equals(SHA384_WITH_RSA)) {
                        z = 2;
                        break;
                    }
                    break;
                case -701778709:
                    if (str.equals(SHA256_WITH_EC)) {
                        z = 7;
                        break;
                    }
                    break;
                case -611254448:
                    if (str.equals(SHA512_WITH_RSA)) {
                        z = 3;
                        break;
                    }
                    break;
                case -280290445:
                    if (str.equals(SHA256_WITH_RSA)) {
                        z = true;
                        break;
                    }
                    break;
                case -99372812:
                    if (str.equals(SHA256_WITH_HMAC)) {
                        z = 4;
                        break;
                    }
                    break;
                case 2402104:
                    if (str.equals(NONE)) {
                        z = false;
                        break;
                    }
                    break;
                case 534471022:
                    if (str.equals(SHA512_WITH_EC)) {
                        z = 9;
                        break;
                    }
                    break;
                case 944190471:
                    if (str.equals(SHA384_WITH_EC)) {
                        z = 8;
                        break;
                    }
                    break;
                case 1129044240:
                    if (str.equals(SHA384_WITH_HMAC)) {
                        z = 5;
                        break;
                    }
                    break;
            }
            switch (z) {
                case false:
                    return new JWSAlgorithm(JWSAlgorithm.NONE.getName());
                case true:
                    return JWSAlgorithm.RS256;
                case true:
                    return JWSAlgorithm.RS384;
                case true:
                    return JWSAlgorithm.RS512;
                case true:
                    return JWSAlgorithm.HS256;
                case true:
                    return JWSAlgorithm.HS384;
                case true:
                    return JWSAlgorithm.HS512;
                case true:
                    return JWSAlgorithm.ES256;
                case true:
                    return JWSAlgorithm.ES384;
                case true:
                    return JWSAlgorithm.ES512;
            }
        }
        throw new AuthException("Unsupported Signature Algorithm");
    }

    private static String getThumbPrint(Certificate certificate) throws NoSuchAlgorithmException, CertificateEncodingException {
        MessageDigest messageDigest = MessageDigest.getInstance("SHA-1");
        messageDigest.update(certificate.getEncoded());
        return new String(new Base64(0, null, true).encode(hexify(messageDigest.digest()).getBytes(Charsets.UTF_8)), Charsets.UTF_8);
    }

    private static String hexify(byte[] bArr) {
        char[] cArr = {'0', '1', '2', '3', '4', '5', '6', '7', '8', '9', 'a', 'b', 'c', 'd', 'e', 'f'};
        StringBuilder sb = new StringBuilder(bArr.length * 2);
        for (int i = 0; i < bArr.length; i++) {
            sb.append(cArr[(bArr[i] & 240) >> 4]);
            sb.append(cArr[bArr[i] & 15]);
        }
        return sb.toString();
    }
}
