package org.keycloak.services.clientregistration;

import javax.ws.rs.core.UriInfo;
import org.keycloak.common.util.Time;
import org.keycloak.jose.jws.JWSBuilder;
import org.keycloak.jose.jws.JWSInput;
import org.keycloak.jose.jws.JWSInputException;
import org.keycloak.jose.jws.crypto.RSAProvider;
import org.keycloak.models.ClientInitialAccessModel;
import org.keycloak.models.ClientModel;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.RealmModel;
import org.keycloak.models.utils.KeycloakModelUtils;
import org.keycloak.representations.JsonWebToken;
import org.keycloak.services.Urls;
import org.keycloak.util.TokenUtil;

/* loaded from: input_file:wildfly-10.1.0.Final/modules/system/add-ons/keycloak/org/keycloak/keycloak-services/main/keycloak-services-2.1.0.Final.jar:org/keycloak/services/clientregistration/ClientRegistrationTokenUtils.class */
public class ClientRegistrationTokenUtils {
    public static final String TYPE_INITIAL_ACCESS_TOKEN = "InitialAccessToken";
    public static final String TYPE_REGISTRATION_ACCESS_TOKEN = "RegistrationAccessToken";

    public static String updateRegistrationAccessToken(KeycloakSession keycloakSession, ClientModel clientModel) {
        return updateRegistrationAccessToken(keycloakSession.getContext().getRealm(), keycloakSession.getContext().getUri(), clientModel);
    }

    public static String updateRegistrationAccessToken(RealmModel realmModel, UriInfo uriInfo, ClientModel clientModel) {
        String generateId = KeycloakModelUtils.generateId();
        clientModel.setRegistrationToken(generateId);
        return createToken(realmModel, uriInfo, generateId, TYPE_REGISTRATION_ACCESS_TOKEN, 0);
    }

    public static String createInitialAccessToken(RealmModel realmModel, UriInfo uriInfo, ClientInitialAccessModel clientInitialAccessModel) {
        return createToken(realmModel, uriInfo, clientInitialAccessModel.getId(), TYPE_INITIAL_ACCESS_TOKEN, clientInitialAccessModel.getExpiration() > 0 ? clientInitialAccessModel.getTimestamp() + clientInitialAccessModel.getExpiration() : 0);
    }

    public static JsonWebToken verifyToken(RealmModel realmModel, UriInfo uriInfo, String str) {
        try {
            JWSInput jWSInput = new JWSInput(str);
            if (!RSAProvider.verify(jWSInput, realmModel.getPublicKey())) {
                return null;
            }
            try {
                JsonWebToken jsonWebToken = (JsonWebToken) jWSInput.readJsonContent(JsonWebToken.class);
                if (!getIssuer(realmModel, uriInfo).equals(jsonWebToken.getIssuer()) || !jsonWebToken.isActive()) {
                    return null;
                }
                if (TokenUtil.TOKEN_TYPE_BEARER.equals(jsonWebToken.getType()) || TYPE_INITIAL_ACCESS_TOKEN.equals(jsonWebToken.getType()) || TYPE_REGISTRATION_ACCESS_TOKEN.equals(jsonWebToken.getType())) {
                    return jsonWebToken;
                }
                return null;
            } catch (JWSInputException e) {
                return null;
            }
        } catch (JWSInputException e2) {
            return null;
        }
    }

    private static String createToken(RealmModel realmModel, UriInfo uriInfo, String str, String str2, int i) {
        JsonWebToken jsonWebToken = new JsonWebToken();
        String issuer = getIssuer(realmModel, uriInfo);
        jsonWebToken.type(str2);
        jsonWebToken.id(str);
        jsonWebToken.issuedAt(Time.currentTime());
        jsonWebToken.expiration(i);
        jsonWebToken.issuer(issuer);
        jsonWebToken.audience(issuer);
        return new JWSBuilder().jsonContent(jsonWebToken).rsa256(realmModel.getPrivateKey());
    }

    private static String getIssuer(RealmModel realmModel, UriInfo uriInfo) {
        return Urls.realmIssuer(uriInfo.getBaseUri(), realmModel.getName());
    }
}
