package io.openliberty.security.common.jwt.jws;

import com.ibm.websphere.ras.ProtectedString;
import com.ibm.websphere.ras.Tr;
import com.ibm.websphere.ras.TraceComponent;
import com.ibm.websphere.ras.annotation.Sensitive;
import com.ibm.websphere.ras.annotation.TraceObjectField;
import com.ibm.websphere.ras.annotation.TraceOptions;
import com.ibm.ws.ras.instrument.annotation.InjectedFFDC;
import com.ibm.ws.security.common.http.HttpUtils;
import com.ibm.ws.security.common.jwk.impl.JWKSet;
import com.ibm.ws.security.common.jwk.impl.JwKRetriever;
import io.openliberty.security.common.jwt.exceptions.SharedKeyMissingException;
import io.openliberty.security.common.jwt.exceptions.UnsupportedSignatureAlgorithmException;
import io.openliberty.security.common.jwt.jwk.RemoteJwkData;
import java.io.IOException;
import java.io.UnsupportedEncodingException;
import java.security.Key;
import java.util.Collections;
import java.util.HashSet;
import java.util.List;
import java.util.Set;
import org.apache.http.NameValuePair;
import org.apache.http.client.config.RequestConfig;
import org.apache.http.client.methods.HttpGet;
import org.jose4j.jws.JsonWebSignature;
import org.jose4j.jwx.JsonWebStructure;
import org.jose4j.keys.HmacKey;

@InjectedFFDC
@TraceObjectField(fieldName = "$$$tc$$$", fieldDesc = "Lcom/ibm/websphere/ras/TraceComponent;")
@TraceOptions
/* loaded from: input_file:io/openliberty/security/common/jwt/jws/JwsVerificationKeyHelper.class */
public class JwsVerificationKeyHelper {
    public static final Set<String> SUPPORTED_SIGNATURE_ALGORITHMS;
    private String configId;

    @Sensitive
    private ProtectedString sharedSecret;
    private RemoteJwkData remoteJwkData;
    private JWKSet jwkSet;
    static final long serialVersionUID = -842634126920425930L;
    private static final /* synthetic */ TraceComponent $$$tc$$$ = Tr.register("io.openliberty.security.common.jwt.jws.JwsVerificationKeyHelper", JwsVerificationKeyHelper.class, (String) null, (String) null);

    @InjectedFFDC
    @TraceObjectField(fieldName = "$$$tc$$$", fieldDesc = "Lcom/ibm/websphere/ras/TraceComponent;")
    @TraceOptions
    /* loaded from: input_file:io/openliberty/security/common/jwt/jws/JwsVerificationKeyHelper$Builder.class */
    public static class Builder {
        private String configId;

        @Sensitive
        private ProtectedString sharedSecret;
        private RemoteJwkData remoteJwkData;
        private JWKSet jwkSet;
        static final long serialVersionUID = 9021088606431837839L;
        private static final /* synthetic */ TraceComponent $$$tc$$$ = Tr.register("io.openliberty.security.common.jwt.jws.JwsVerificationKeyHelper$Builder", Builder.class, (String) null, (String) null);

        public Builder configId(String str) {
            this.configId = str;
            return this;
        }

        public Builder sharedSecret(@Sensitive ProtectedString protectedString) {
            this.sharedSecret = protectedString;
            return this;
        }

        public Builder remoteJwkData(RemoteJwkData remoteJwkData) {
            this.remoteJwkData = remoteJwkData;
            return this;
        }

        public Builder jwkSet(JWKSet jWKSet) {
            this.jwkSet = jWKSet;
            return this;
        }

        public JwsVerificationKeyHelper build() {
            return new JwsVerificationKeyHelper(this);
        }
    }

    private JwsVerificationKeyHelper(Builder builder) {
        this.configId = builder.configId;
        this.sharedSecret = builder.sharedSecret;
        this.remoteJwkData = builder.remoteJwkData;
        this.jwkSet = builder.jwkSet;
    }

    public RemoteJwkData getRemoteJwkData() {
        return this.remoteJwkData;
    }

    public Key getVerificationKey(JsonWebStructure jsonWebStructure) throws Exception {
        String signatureAlgorithmFromJws = getSignatureAlgorithmFromJws(jsonWebStructure);
        if (signatureAlgorithmFromJws == null) {
        }
        if (signatureAlgorithmFromJws.equalsIgnoreCase("none")) {
            return null;
        }
        return signatureAlgorithmFromJws.startsWith("HS") ? getSharedKey() : retrievePublicKey(jsonWebStructure, signatureAlgorithmFromJws);
    }

    String getSignatureAlgorithmFromJws(JsonWebStructure jsonWebStructure) throws UnsupportedSignatureAlgorithmException {
        String str = null;
        if (jsonWebStructure != null && (jsonWebStructure instanceof JsonWebSignature)) {
            str = ((JsonWebSignature) jsonWebStructure).getAlgorithmHeaderValue();
        }
        if (SUPPORTED_SIGNATURE_ALGORITHMS.contains(str)) {
            return str;
        }
        throw new UnsupportedSignatureAlgorithmException(str);
    }

    Key getSharedKey() throws SharedKeyMissingException, UnsupportedEncodingException {
        if (this.sharedSecret == null || this.sharedSecret.isEmpty()) {
            throw new SharedKeyMissingException();
        }
        return new HmacKey(new String(this.sharedSecret.getChars()).getBytes("UTF-8"));
    }

    Key retrievePublicKey(JsonWebStructure jsonWebStructure, String str) throws IOException, Exception {
        return createJwkRetriever(str).getPublicKeyFromJwk(jsonWebStructure.getKeyIdHeaderValue(), jsonWebStructure.getX509CertSha1ThumbprintHeaderValue(), "sig", false);
    }

    JwKRetriever createJwkRetriever(String str) throws Exception {
        JwKRetriever jwKRetriever = new JwKRetriever(this.configId, (String) null, this.remoteJwkData == null ? null : this.remoteJwkData.getJwksUri(), this.jwkSet, this.remoteJwkData == null ? null : this.remoteJwkData.getSslSupport(), false, (String) null, (String) null, str);
        jwKRetriever.httpUtils = new HttpUtils() { // from class: io.openliberty.security.common.jwt.jws.JwsVerificationKeyHelper.1
            static final long serialVersionUID = -727949461797227429L;
            private static final /* synthetic */ TraceComponent $$$tc$$$ = Tr.register("io.openliberty.security.common.jwt.jws.JwsVerificationKeyHelper$1", AnonymousClass1.class, (String) null, (String) null);

            public HttpGet createHttpGetMethod(String str2, List<NameValuePair> list) {
                HttpGet createHttpGetMethod = super.createHttpGetMethod(str2, list);
                if (JwsVerificationKeyHelper.this.remoteJwkData != null) {
                    createHttpGetMethod.setConfig(RequestConfig.custom().setConnectTimeout(JwsVerificationKeyHelper.this.remoteJwkData.getJwksConnectTimeout()).setSocketTimeout(JwsVerificationKeyHelper.this.remoteJwkData.getJwksReadTimeout()).build());
                }
                return createHttpGetMethod;
            }
        };
        return jwKRetriever;
    }

    static {
        HashSet hashSet = new HashSet();
        hashSet.add("none");
        hashSet.add("RS256");
        hashSet.add("RS384");
        hashSet.add("RS512");
        hashSet.add("HS256");
        hashSet.add("HS384");
        hashSet.add("HS512");
        hashSet.add("ES256");
        hashSet.add("ES384");
        hashSet.add("ES512");
        SUPPORTED_SIGNATURE_ALGORITHMS = Collections.unmodifiableSet(hashSet);
    }
}
