package org.wso2.carbon.apimgt.impl.token;

import java.security.InvalidKeyException;
import java.security.Key;
import java.security.KeyStoreException;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.security.PrivateKey;
import java.security.Signature;
import java.security.SignatureException;
import java.security.cert.Certificate;
import java.security.cert.CertificateEncodingException;
import java.util.Map;
import java.util.concurrent.ConcurrentHashMap;
import org.apache.axiom.util.base64.Base64Utils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.wso2.carbon.apimgt.api.APIManagementException;
import org.wso2.carbon.apimgt.impl.APIConstants;
import org.wso2.carbon.apimgt.impl.dto.APIKeyValidationInfoDTO;
import org.wso2.carbon.apimgt.impl.internal.ServiceReferenceHolder;
import org.wso2.carbon.apimgt.impl.utils.APIUtil;
import org.wso2.carbon.core.util.KeyStoreManager;
import org.wso2.carbon.registry.core.exceptions.RegistryException;
import org.wso2.carbon.utils.multitenancy.MultitenantUtils;

/* loaded from: input_file:org/wso2/carbon/apimgt/impl/token/AbstractJWTGenerator.class */
public abstract class AbstractJWTGenerator implements TokenGenerator {
    public static final String API_GATEWAY_ID = "wso2.org/products/am";
    private static final String SHA256_WITH_RSA = "SHA256withRSA";
    private static final String NONE = "NONE";
    private ClaimsRetriever claimsRetriever;
    private String dialectURI;
    private String signatureAlgorithm;
    private static final String SIGNATURE_ALGORITHM = "APIConsumerAuthentication.SignatureAlgorithm";
    private static final Log log = LogFactory.getLog(JWTGenerator.class);
    private static volatile long ttl = -1;
    private static ConcurrentHashMap<Integer, Key> privateKeys = new ConcurrentHashMap<>();
    private static ConcurrentHashMap<Integer, Certificate> publicCerts = new ConcurrentHashMap<>();

    public AbstractJWTGenerator() {
        this.dialectURI = ClaimsRetriever.DEFAULT_DIALECT_URI;
        this.signatureAlgorithm = SHA256_WITH_RSA;
        this.dialectURI = ServiceReferenceHolder.getInstance().getAPIManagerConfigurationService().getAPIManagerConfiguration().getFirstProperty(ClaimsRetriever.CONSUMER_DIALECT_URI);
        if (this.dialectURI == null) {
            this.dialectURI = ClaimsRetriever.DEFAULT_DIALECT_URI;
        }
        this.signatureAlgorithm = ServiceReferenceHolder.getInstance().getAPIManagerConfigurationService().getAPIManagerConfiguration().getFirstProperty(SIGNATURE_ALGORITHM);
        if (this.signatureAlgorithm == null || (!this.signatureAlgorithm.equals("NONE") && !this.signatureAlgorithm.equals(SHA256_WITH_RSA))) {
            this.signatureAlgorithm = SHA256_WITH_RSA;
        }
        String firstProperty = ServiceReferenceHolder.getInstance().getAPIManagerConfigurationService().getAPIManagerConfiguration().getFirstProperty(ClaimsRetriever.CLAIMS_RETRIEVER_IMPL_CLASS);
        if (firstProperty != null) {
            try {
                this.claimsRetriever = (ClaimsRetriever) APIUtil.getClassForName(firstProperty).newInstance();
                this.claimsRetriever.init();
            } catch (ClassNotFoundException e) {
                log.error("Cannot find class: " + firstProperty, e);
            } catch (APIManagementException e2) {
                log.error("Error while initializing " + firstProperty);
            } catch (IllegalAccessException e3) {
                log.error("Illegal access to " + firstProperty);
            } catch (InstantiationException e4) {
                log.error("Error instantiating " + firstProperty);
            }
        }
    }

    public String getDialectURI() {
        return this.dialectURI;
    }

    public ClaimsRetriever getClaimsRetriever() {
        return this.claimsRetriever;
    }

    public abstract Map<String, String> populateStandardClaims(APIKeyValidationInfoDTO aPIKeyValidationInfoDTO, String str, String str2) throws APIManagementException;

    public abstract Map<String, String> populateCustomClaims(APIKeyValidationInfoDTO aPIKeyValidationInfoDTO, String str, String str2, String str3) throws APIManagementException;

    @Override // org.wso2.carbon.apimgt.impl.token.TokenGenerator
    public String generateToken(APIKeyValidationInfoDTO aPIKeyValidationInfoDTO, String str, String str2) throws APIManagementException {
        return generateToken(aPIKeyValidationInfoDTO, str, str2, null);
    }

    @Override // org.wso2.carbon.apimgt.impl.token.TokenGenerator
    public String generateToken(APIKeyValidationInfoDTO aPIKeyValidationInfoDTO, String str, String str2, String str3) throws APIManagementException {
        String buildHeader = buildHeader(aPIKeyValidationInfoDTO);
        String encode = buildHeader != null ? Base64Utils.encode(buildHeader.getBytes()) : "";
        String buildBody = buildBody(aPIKeyValidationInfoDTO, str, str2, str3);
        String encode2 = buildBody != null ? Base64Utils.encode(buildBody.getBytes()) : "";
        if (!this.signatureAlgorithm.equals(SHA256_WITH_RSA)) {
            return encode + "." + encode2 + ".";
        }
        byte[] signJWT = signJWT(encode + "." + encode2, aPIKeyValidationInfoDTO.getEndUserName());
        if (log.isDebugEnabled()) {
            log.debug("signed assertion value : " + new String(signJWT));
        }
        return encode + "." + encode2 + "." + Base64Utils.encode(signJWT);
    }

    public String buildHeader(APIKeyValidationInfoDTO aPIKeyValidationInfoDTO) throws APIManagementException {
        String str = null;
        if ("NONE".equals(this.signatureAlgorithm)) {
            str = "{\"typ\":\"JWT\",\"alg\":\"" + getJWSCompliantAlgorithmCode("NONE") + "\"}";
        } else if (SHA256_WITH_RSA.equals(this.signatureAlgorithm)) {
            str = addCertToHeader(aPIKeyValidationInfoDTO.getEndUserName());
        }
        return str;
    }

    public String buildBody(APIKeyValidationInfoDTO aPIKeyValidationInfoDTO, String str, String str2, String str3) throws APIManagementException {
        Map<String, String> populateStandardClaims = populateStandardClaims(aPIKeyValidationInfoDTO, str, str2);
        Map<String, String> populateCustomClaims = populateCustomClaims(aPIKeyValidationInfoDTO, str, str2, str3);
        if (populateStandardClaims == null) {
            return null;
        }
        if (populateCustomClaims != null) {
            populateStandardClaims.putAll(populateCustomClaims);
        }
        StringBuilder sb = new StringBuilder();
        sb.append("{");
        for (Map.Entry<String, String> entry : populateStandardClaims.entrySet()) {
            String key = entry.getKey();
            if ("exp".equals(key) || "nbf".equals(key) || "iat".equals(key)) {
                sb.append("\"" + key + "\":" + entry.getValue() + APIConstants.OAUTH_HEADER_SPLITTER);
            } else {
                sb.append("\"" + key + "\":\"" + entry.getValue() + "\",");
            }
        }
        if (sb.length() > 1) {
            sb.delete(sb.length() - 1, sb.length());
        }
        sb.append("}");
        return sb.toString();
    }

    private byte[] signJWT(String str, String str2) throws APIManagementException {
        String str3 = null;
        try {
            str3 = MultitenantUtils.getTenantDomain(str2);
            int tenantId = APIUtil.getTenantId(str2);
            Key key = null;
            if (privateKeys.containsKey(Integer.valueOf(tenantId))) {
                key = privateKeys.get(Integer.valueOf(tenantId));
            } else {
                APIUtil.loadTenantRegistry(tenantId);
                KeyStoreManager keyStoreManager = KeyStoreManager.getInstance(tenantId);
                if (str3.equals("carbon.super")) {
                    try {
                        key = keyStoreManager.getDefaultPrivateKey();
                    } catch (Exception e) {
                        log.error("Error while obtaining private key for super tenant", e);
                    }
                } else {
                    key = keyStoreManager.getPrivateKey(str3.trim().replace(".", "-") + ".jks", str3);
                }
                if (key != null) {
                    privateKeys.put(Integer.valueOf(tenantId), key);
                }
            }
            Signature signature = Signature.getInstance(this.signatureAlgorithm);
            signature.initSign((PrivateKey) key);
            signature.update(str.getBytes());
            return signature.sign();
        } catch (InvalidKeyException e2) {
            throw new APIManagementException("Invalid private key provided for the signature");
        } catch (NoSuchAlgorithmException e3) {
            throw new APIManagementException("Signature algorithm not found.");
        } catch (SignatureException e4) {
            throw new APIManagementException("Error in signature");
        } catch (RegistryException e5) {
            throw new APIManagementException("Error in loading tenant registry for " + str3);
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public long getTTL() {
        if (ttl != -1) {
            return ttl;
        }
        synchronized (JWTGenerator.class) {
            if (ttl != -1) {
                return ttl;
            }
            String firstProperty = ServiceReferenceHolder.getInstance().getAPIManagerConfigurationService().getAPIManagerConfiguration().getFirstProperty(APIConstants.API_KEY_SECURITY_CONTEXT_TTL);
            if (firstProperty != null) {
                ttl = Long.parseLong(firstProperty);
            } else {
                ttl = 15L;
            }
            return ttl;
        }
    }

    private String addCertToHeader(String str) throws APIManagementException {
        Certificate certificate;
        try {
            String tenantDomain = MultitenantUtils.getTenantDomain(str);
            int tenantId = APIUtil.getTenantId(str);
            if (publicCerts.containsKey(Integer.valueOf(tenantId))) {
                certificate = publicCerts.get(Integer.valueOf(tenantId));
            } else {
                APIUtil.loadTenantRegistry(tenantId);
                KeyStoreManager keyStoreManager = KeyStoreManager.getInstance(tenantId);
                if (tenantDomain.equals("carbon.super")) {
                    certificate = keyStoreManager.getDefaultPrimaryCertificate();
                } else {
                    certificate = keyStoreManager.getKeyStore(tenantDomain.trim().replace(".", "-") + ".jks").getCertificate(tenantDomain);
                }
                if (certificate != null) {
                    publicCerts.put(Integer.valueOf(tenantId), certificate);
                }
            }
            MessageDigest messageDigest = MessageDigest.getInstance("SHA-1");
            messageDigest.update(certificate.getEncoded());
            return "{\"typ\":\"JWT\",\"alg\":\"" + getJWSCompliantAlgorithmCode(this.signatureAlgorithm) + "\",\"x5t\":\"" + Base64Utils.encode(hexify(messageDigest.digest()).getBytes()) + "\"}";
        } catch (KeyStoreException e) {
            throw new APIManagementException("Error in obtaining tenant's keystore");
        } catch (NoSuchAlgorithmException e2) {
            throw new APIManagementException("Error in generating public cert thumbprint");
        } catch (CertificateEncodingException e3) {
            throw new APIManagementException("Error in generating public cert thumbprint");
        } catch (Exception e4) {
            throw new APIManagementException("Error in obtaining tenant's keystore");
        }
    }

    private String hexify(byte[] bArr) {
        char[] cArr = {'0', '1', '2', '3', '4', '5', '6', '7', '8', '9', 'a', 'b', 'c', 'd', 'e', 'f'};
        StringBuffer stringBuffer = new StringBuffer(bArr.length * 2);
        for (int i = 0; i < bArr.length; i++) {
            stringBuffer.append(cArr[(bArr[i] & 240) >> 4]);
            stringBuffer.append(cArr[bArr[i] & 15]);
        }
        return stringBuffer.toString();
    }

    public String getJWSCompliantAlgorithmCode(String str) {
        return (str == null || "NONE".equals(str)) ? JWTSignatureAlg.NONE.getJwsCompliantCode() : SHA256_WITH_RSA.equals(str) ? JWTSignatureAlg.SHA256_WITH_RSA.getJwsCompliantCode() : str;
    }
}
