package com.ibm.ws.security.jwt.utils;

import com.ibm.websphere.ras.Tr;
import com.ibm.websphere.ras.TraceComponent;
import com.ibm.websphere.ras.annotation.Sensitive;
import com.ibm.websphere.ras.annotation.TraceObjectField;
import com.ibm.websphere.ras.annotation.TraceOptions;
import com.ibm.websphere.security.jwt.InvalidTokenException;
import com.ibm.websphere.security.jwt.KeyException;
import com.ibm.ws.ffdc.FFDCFilter;
import com.ibm.ws.ffdc.annotation.FFDCIgnore;
import com.ibm.ws.kernel.security.thread.ThreadIdentityManager;
import com.ibm.ws.ras.instrument.annotation.InjectedFFDC;
import com.ibm.ws.security.common.jwk.impl.JwKRetriever;
import com.ibm.ws.security.common.jwk.impl.JwkKidBuilder;
import com.ibm.ws.security.jwt.config.JwtConfig;
import com.ibm.ws.security.jwt.config.JwtConsumerConfig;
import com.ibm.ws.security.jwt.config.MpConfigProperties;
import com.ibm.ws.security.jwt.internal.BuilderImpl;
import com.ibm.ws.security.jwt.internal.JwtTokenException;
import java.security.Key;
import java.security.KeyStoreException;
import java.security.PublicKey;
import java.security.cert.CertificateException;
import java.util.regex.Pattern;
import org.jose4j.base64url.Base64;
import org.jose4j.jwe.JsonWebEncryption;
import org.jose4j.jwt.JwtClaims;
import org.jose4j.lang.JoseException;

@InjectedFFDC
@TraceObjectField(fieldName = "tc", fieldDesc = "Lcom/ibm/websphere/ras/TraceComponent;")
@TraceOptions
/* loaded from: input_file:com/ibm/ws/security/jwt/utils/JweHelper.class */
public class JweHelper {
    private static final String NOT_PERIOD = "[^\\.]";
    static final long serialVersionUID = 5370398027880915039L;
    private static final TraceComponent tc = Tr.register(JweHelper.class, "JWTBUILDER", "com.ibm.ws.security.jwt.internal.resources.JWTMessages");
    private static final Pattern JWS_PATTERN = Pattern.compile("^([^\\.]*\\.){2}[^\\.]*$");
    private static final Pattern JWE_PATTERN = Pattern.compile("^([^\\.]*\\.){4}[^\\.]*$");

    @FFDCIgnore({Exception.class})
    public static String createJweString(String str, JwtData jwtData) throws Exception {
        JwtConfig config = jwtData.getConfig();
        try {
            JsonWebEncryption jsonWebEncryption = new JsonWebEncryption();
            BuilderImpl builder = jwtData.getBuilder();
            setJweKeyData(jsonWebEncryption, builder, config);
            setJweHeaders(jsonWebEncryption, builder, config);
            jsonWebEncryption.setPayload(str);
            return getJwtString(jsonWebEncryption);
        } catch (Exception e) {
            throw new Exception(Tr.formatMessage(tc, "ERROR_BUILDING_SIGNED_JWE", new Object[]{config.getId(), e}), e);
        }
    }

    public static boolean isJws(String str) {
        if (str == null || str.isEmpty()) {
            return false;
        }
        return JWS_PATTERN.matcher(str).matches();
    }

    public static boolean isJwe(String str) {
        if (str == null || str.isEmpty()) {
            return false;
        }
        return JWE_PATTERN.matcher(str).matches();
    }

    public static boolean isJwsRequired(JwtConsumerConfig jwtConsumerConfig) {
        return !isJweRequired(jwtConsumerConfig);
    }

    public static boolean isJwsRequired(JwtConsumerConfig jwtConsumerConfig, MpConfigProperties mpConfigProperties) {
        return !isJweRequired(jwtConsumerConfig, mpConfigProperties);
    }

    public static boolean isJweRequired(JwtConsumerConfig jwtConsumerConfig) {
        return jwtConsumerConfig.getKeyManagementKeyAlias() != null;
    }

    public static boolean isJweRequired(JwtConsumerConfig jwtConsumerConfig, MpConfigProperties mpConfigProperties) {
        return (jwtConsumerConfig.getKeyManagementKeyAlias() == null && mpConfigProperties.get(MpConfigProperties.DECRYPT_KEY_LOCATION) == null) ? false : true;
    }

    public static String extractJwsFromJweToken(String str, JwtConsumerConfig jwtConsumerConfig, MpConfigProperties mpConfigProperties) throws InvalidTokenException {
        return extractJwsFromJweToken(str, jwtConsumerConfig, mpConfigProperties, getJweHeaderParams(str));
    }

    public static String extractJwsFromJweToken(String str, JwtConsumerConfig jwtConsumerConfig, MpConfigProperties mpConfigProperties, JwtClaims jwtClaims) throws InvalidTokenException {
        String extractPayloadFromJweToken = extractPayloadFromJweToken(str, jwtConsumerConfig, mpConfigProperties, jwtClaims);
        if (isJws(extractPayloadFromJweToken)) {
            return extractPayloadFromJweToken;
        }
        throw new InvalidTokenException(Tr.formatMessage(tc, "NESTED_JWS_REQUIRED_BUT_NOT_FOUND", new Object[0]));
    }

    public static String extractPayloadFromJweToken(String str, JwtConsumerConfig jwtConsumerConfig, MpConfigProperties mpConfigProperties) throws InvalidTokenException {
        return extractPayloadFromJweToken(str, jwtConsumerConfig, mpConfigProperties, getJweHeaderParams(str));
    }

    @FFDCIgnore({Exception.class})
    public static String extractPayloadFromJweToken(String str, JwtConsumerConfig jwtConsumerConfig, MpConfigProperties mpConfigProperties, JwtClaims jwtClaims) throws InvalidTokenException {
        try {
            return getJwePayload(str, jwtConsumerConfig, mpConfigProperties, jwtClaims);
        } catch (Exception e) {
            throw new InvalidTokenException(Tr.formatMessage(tc, "ERROR_EXTRACTING_JWS_PAYLOAD_FROM_JWE", new Object[]{jwtConsumerConfig.getId(), e}), e);
        }
    }

    static String getJwePayload(String str, JwtConsumerConfig jwtConsumerConfig, MpConfigProperties mpConfigProperties, JwtClaims jwtClaims) throws Exception {
        Key jweDecryptionKey = getJweDecryptionKey(jwtConsumerConfig, mpConfigProperties, (String) jwtClaims.getClaimValue("kid"));
        if (jweDecryptionKey == null) {
            throw new InvalidTokenException(Tr.formatMessage(tc, "JWE_DECRYPTION_KEY_MISSING", new Object[]{JwtUtils.CFG_KEY_KEY_MANAGEMENT_KEY_ALIAS, jwtConsumerConfig.getKeyManagementKeyAlias()}));
        }
        return getJwePayload(str, jweDecryptionKey);
    }

    static String getJwePayload(String str, @Sensitive Key key) throws JoseException, InvalidTokenException {
        JsonWebEncryption jsonWebEncryption = new JsonWebEncryption();
        jsonWebEncryption.setCompactSerialization(str);
        jsonWebEncryption.setKey(key);
        Object runAsServer = ThreadIdentityManager.runAsServer();
        try {
            String payload = jsonWebEncryption.getPayload();
            ThreadIdentityManager.reset(runAsServer);
            if (isJws(payload)) {
                verifyContentType(jsonWebEncryption);
            }
            return payload;
        } catch (Throwable th) {
            ThreadIdentityManager.reset(runAsServer);
            throw th;
        }
    }

    static void verifyContentType(JsonWebEncryption jsonWebEncryption) throws InvalidTokenException {
        String contentTypeHeaderValue = jsonWebEncryption.getContentTypeHeaderValue();
        if (contentTypeHeaderValue == null || !"JWT".equalsIgnoreCase(contentTypeHeaderValue)) {
            throw new InvalidTokenException(Tr.formatMessage(tc, "CTY_NOT_JWT_FOR_NESTED_JWS", new Object[]{"\"cty\"", contentTypeHeaderValue, "\"JWT\""}));
        }
    }

    @FFDCIgnore({Exception.class})
    public static JwtClaims getJweHeaderParams(String str) {
        JwtClaims jwtClaims = null;
        try {
            jwtClaims = JwtClaims.parse(new String(Base64.decode(str.substring(0, str.indexOf(46)))));
        } catch (Exception e) {
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Caught exception getting header from JWE string: " + e, new Object[0]);
            }
        }
        return jwtClaims == null ? new JwtClaims() : jwtClaims;
    }

    String getKidFromJweString(String str) {
        return (String) getJweHeaderParams(str).getClaimValue("kid");
    }

    static void setJweKeyData(JsonWebEncryption jsonWebEncryption, BuilderImpl builderImpl, JwtConfig jwtConfig) throws KeyStoreException, CertificateException, InvalidTokenException {
        Key keyManagementKey = getKeyManagementKey(builderImpl, jwtConfig);
        if (keyManagementKey == null) {
            throw new KeyStoreException(Tr.formatMessage(tc, "KEY_MANAGEMENT_KEY_NOT_FOUND", new Object[]{jwtConfig.getId(), jwtConfig.getKeyManagementKeyAlias(), jwtConfig.getTrustStoreRef()}));
        }
        jsonWebEncryption.setKey(keyManagementKey);
        setJweKidHeader(jsonWebEncryption, keyManagementKey);
    }

    static Key getKeyManagementKey(BuilderImpl builderImpl, JwtConfig jwtConfig) throws KeyStoreException, CertificateException, InvalidTokenException {
        Key keyManagementKey = builderImpl.getKeyManagementKey();
        if (keyManagementKey == null) {
            keyManagementKey = getKeyManagementKeyFromTrustStore(jwtConfig);
        }
        return keyManagementKey;
    }

    static PublicKey getKeyManagementKeyFromTrustStore(JwtConfig jwtConfig) throws KeyStoreException, CertificateException, InvalidTokenException {
        return JwtUtils.getPublicKey(jwtConfig.getKeyManagementKeyAlias(), jwtConfig.getTrustStoreRef());
    }

    @Sensitive
    static Key getJweDecryptionKey(JwtConsumerConfig jwtConsumerConfig, MpConfigProperties mpConfigProperties, String str) throws Exception {
        Key jweDecryptionKey = jwtConsumerConfig.getJweDecryptionKey();
        return jweDecryptionKey != null ? jweDecryptionKey : getJweDecryptionKeyFromMpConfigProps(jwtConsumerConfig, mpConfigProperties, str);
    }

    @Sensitive
    private static Key getJweDecryptionKeyFromMpConfigProps(JwtConsumerConfig jwtConsumerConfig, MpConfigProperties mpConfigProperties, String str) throws Exception {
        if (mpConfigProperties == null) {
            return null;
        }
        String str2 = mpConfigProperties.get(MpConfigProperties.DECRYPT_KEY_LOCATION);
        checkDecryptKeyLocationForInlineKey(str2);
        JwKRetriever jwKRetriever = new JwKRetriever(jwtConsumerConfig.getJwkSet());
        jwKRetriever.setSignatureAlgorithm(mpConfigProperties.getConfiguredSignatureAlgorithm(jwtConsumerConfig));
        jwKRetriever.setKeyLocation(str2);
        return jwKRetriever.getPrivateKeyFromJwk(str, jwtConsumerConfig.getUseSystemPropertiesForHttpClientConnections());
    }

    static void checkDecryptKeyLocationForInlineKey(@Sensitive String str) throws KeyException {
        if (str != null && !str.isEmpty() && str.contains("BEGIN ")) {
            throw new KeyException(Tr.formatMessage(tc, "DECRYPT_KEY_LOCATION_INLINE_KEY", new Object[]{MpConfigProperties.DECRYPT_KEY_LOCATION}));
        }
    }

    static void setJweKidHeader(JsonWebEncryption jsonWebEncryption, Key key) {
        String buildKeyId = new JwkKidBuilder().buildKeyId(key);
        if (buildKeyId != null) {
            jsonWebEncryption.setKeyIdHeaderValue(buildKeyId);
        }
    }

    static void setJweHeaders(JsonWebEncryption jsonWebEncryption, BuilderImpl builderImpl, JwtConfig jwtConfig) {
        jsonWebEncryption.setAlgorithmHeaderValue(getKeyManagementKeyAlgorithm(builderImpl, jwtConfig));
        jsonWebEncryption.setEncryptionMethodHeaderParameter(getContentEncryptionAlgorithm(builderImpl, jwtConfig));
        jsonWebEncryption.setHeader("typ", "JOSE");
        jsonWebEncryption.setHeader("cty", "jwt");
    }

    static String getKeyManagementKeyAlgorithm(BuilderImpl builderImpl, JwtConfig jwtConfig) {
        String keyManagementAlg = builderImpl.getKeyManagementAlg();
        if (keyManagementAlg == null) {
            keyManagementAlg = getKeyManagementKeyAlgFromConfig(jwtConfig);
        }
        return keyManagementAlg;
    }

    static String getKeyManagementKeyAlgFromConfig(JwtConfig jwtConfig) {
        String keyManagementKeyAlgorithm = jwtConfig.getKeyManagementKeyAlgorithm();
        if (keyManagementKeyAlgorithm == null) {
            keyManagementKeyAlgorithm = BuilderImpl.DEFAULT_KEY_MANAGEMENT_ALGORITHM;
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Key management algorithm not specified in server config. Defaulting to [" + keyManagementKeyAlgorithm + "]", new Object[0]);
            }
        }
        return keyManagementKeyAlgorithm;
    }

    static String getContentEncryptionAlgorithm(BuilderImpl builderImpl, JwtConfig jwtConfig) {
        String contentEncryptionAlg = builderImpl.getContentEncryptionAlg();
        if (contentEncryptionAlg == null) {
            contentEncryptionAlg = getContentEncryptionAlgorithmFromConfig(jwtConfig);
        }
        return contentEncryptionAlg;
    }

    static String getContentEncryptionAlgorithmFromConfig(JwtConfig jwtConfig) {
        String contentEncryptionAlgorithm = jwtConfig.getContentEncryptionAlgorithm();
        if (contentEncryptionAlgorithm == null) {
            contentEncryptionAlgorithm = BuilderImpl.DEFAULT_CONTENT_ENCRYPTION_ALGORITHM;
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Content encryption algorithm not specified in server config. Defaulting to [" + contentEncryptionAlgorithm + "]", new Object[0]);
            }
        }
        return contentEncryptionAlgorithm;
    }

    static String getJwtString(JsonWebEncryption jsonWebEncryption) throws JwtTokenException {
        Object runAsServer = ThreadIdentityManager.runAsServer();
        try {
            try {
                String compactSerialization = jsonWebEncryption.getCompactSerialization();
                ThreadIdentityManager.reset(runAsServer);
                return compactSerialization;
            } catch (Exception e) {
                FFDCFilter.processException(e, "com.ibm.ws.security.jwt.utils.JweHelper", "330", (Object) null, new Object[]{jsonWebEncryption});
                throw new JwtTokenException(e.getLocalizedMessage(), e);
            }
        } catch (Throwable th) {
            ThreadIdentityManager.reset(runAsServer);
            throw th;
        }
    }
}
