package io.smallrye.jwt.build.impl;

import io.smallrye.jwt.algorithm.SignatureAlgorithm;
import io.smallrye.jwt.build.JwtEncryptionBuilder;
import io.smallrye.jwt.build.JwtSignature;
import io.smallrye.jwt.build.JwtSignatureException;
import io.smallrye.jwt.util.KeyUtils;
import io.smallrye.jwt.util.ResourceUtils;
import java.io.InputStream;
import java.security.Key;
import java.security.PrivateKey;
import java.security.interfaces.ECPrivateKey;
import java.security.interfaces.RSAPrivateKey;
import java.util.HashMap;
import java.util.Map;
import javax.crypto.SecretKey;
import org.eclipse.microprofile.jwt.Claims;
import org.jose4j.jwk.JsonWebKey;
import org.jose4j.jws.JsonWebSignature;
import org.jose4j.jwt.JwtClaims;

/* loaded from: input_file:io/smallrye/jwt/build/impl/JwtSignatureImpl.class */
class JwtSignatureImpl implements JwtSignature {
    private static final String ED_EC_PRIVATE_KEY_INTERFACE = "java.security.interfaces.EdECPrivateKey";
    JwtClaims claims;
    Map<String, Object> headers;
    Long tokenLifespan;
    Key configuredPemKey;

    /* JADX INFO: Access modifiers changed from: package-private */
    public JwtSignatureImpl() {
        this.claims = new JwtClaims();
        this.headers = new HashMap();
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public JwtSignatureImpl(JwtClaims jwtClaims) {
        this.claims = new JwtClaims();
        this.headers = new HashMap();
        this.claims = jwtClaims;
    }

    @Override // io.smallrye.jwt.build.JwtSignature
    public String sign(PrivateKey privateKey) throws JwtSignatureException {
        return signInternal(privateKey);
    }

    @Override // io.smallrye.jwt.build.JwtSignature
    public String sign(SecretKey secretKey) throws JwtSignatureException {
        return signInternal(secretKey);
    }

    @Override // io.smallrye.jwt.build.JwtSignature
    public String sign(String str) throws JwtSignatureException {
        try {
            return signInternal(getSigningKeyFromKeyContent(getKeyContentFromLocation(str)));
        } catch (JwtSignatureException e) {
            throw e;
        } catch (Exception e2) {
            throw ImplMessages.msg.signatureException(e2);
        }
    }

    @Override // io.smallrye.jwt.build.JwtSignature
    public String sign() throws JwtSignatureException {
        try {
            try {
                try {
                    Key key = this.configuredPemKey;
                    if (key == null) {
                        String str = (String) JwtBuildUtils.getConfigProperty(JwtBuildUtils.SIGN_KEY_LOCATION_PROPERTY, String.class);
                        if (str != null) {
                            key = JwtBuildUtils.readPrivateKeyFromKeystore(str.trim());
                            if (key == null) {
                                InputStream resourceStream = ResourceUtils.getResourceStream(str.trim());
                                if (resourceStream != null) {
                                    try {
                                        key = getSigningKeyFromKeyContent(new String(ResourceUtils.readBytes(resourceStream)));
                                        if (resourceStream != null) {
                                            resourceStream.close();
                                        }
                                    } catch (Throwable th) {
                                        if (resourceStream != null) {
                                            try {
                                                resourceStream.close();
                                            } catch (Throwable th2) {
                                                th.addSuppressed(th2);
                                            }
                                        }
                                        throw th;
                                    }
                                }
                            }
                        } else {
                            key = JwtBuildUtils.readPrivateKeyFromKeystore(null);
                            if (key == null) {
                                String str2 = (String) JwtBuildUtils.getConfigProperty(JwtBuildUtils.SIGN_KEY_PROPERTY, String.class);
                                if (str2 == null) {
                                    throw ImplMessages.msg.signKeyNotConfigured();
                                }
                                key = getSigningKeyFromKeyContent(str2);
                            }
                        }
                    }
                    if (key == null) {
                        throw ImplMessages.msg.signingKeyCanNotBeCreatedFromContent();
                    }
                    String signInternal = signInternal(key);
                    removeJti();
                    return signInternal;
                } catch (JwtSignatureException e) {
                    throw e;
                }
            } catch (Exception e2) {
                throw ImplMessages.msg.signatureException(e2);
            }
        } catch (Throwable th3) {
            removeJti();
            throw th3;
        }
    }

    @Override // io.smallrye.jwt.build.JwtSignature
    public String signWithSecret(String str) throws JwtSignatureException {
        return sign(KeyUtils.createSecretKeyFromSecret(str));
    }

    @Override // io.smallrye.jwt.build.JwtSignature
    public JwtEncryptionBuilder innerSign(PrivateKey privateKey) throws JwtSignatureException {
        return new JwtEncryptionImpl(sign(privateKey), true);
    }

    @Override // io.smallrye.jwt.build.JwtSignature
    public JwtEncryptionBuilder innerSign(SecretKey secretKey) throws JwtSignatureException {
        return new JwtEncryptionImpl(sign(secretKey), true);
    }

    @Override // io.smallrye.jwt.build.JwtSignature
    public JwtEncryptionBuilder innerSign(String str) throws JwtSignatureException {
        return new JwtEncryptionImpl(sign(str), true);
    }

    @Override // io.smallrye.jwt.build.JwtSignature
    public JwtEncryptionBuilder innerSign() throws JwtSignatureException {
        try {
            return new JwtEncryptionImpl(sign(), true);
        } finally {
            removeJti();
        }
    }

    @Override // io.smallrye.jwt.build.JwtSignature
    public JwtEncryptionBuilder innerSignWithSecret(String str) throws JwtSignatureException {
        return innerSign(KeyUtils.createSecretKeyFromSecret(str));
    }

    private String signInternal(Key key) {
        if (key == null) {
            throw ImplMessages.msg.signingKeyIsNull();
        }
        JwtBuildUtils.setDefaultJwtClaims(this.claims, this.tokenLifespan);
        JsonWebSignature jsonWebSignature = new JsonWebSignature();
        for (Map.Entry<String, Object> entry : this.headers.entrySet()) {
            jsonWebSignature.setHeader(entry.getKey(), entry.getValue());
        }
        if (!this.headers.containsKey("typ")) {
            jsonWebSignature.setHeader("typ", "JWT");
        }
        jsonWebSignature.setAlgorithmHeaderValue(getSignatureAlgorithm(key));
        jsonWebSignature.setPayload(this.claims.toJson());
        jsonWebSignature.setKey(key);
        if (isRelaxKeyValidation()) {
            jsonWebSignature.setDoKeyValidation(false);
        }
        try {
            return jsonWebSignature.getCompactSerialization();
        } catch (Exception e) {
            throw ImplMessages.msg.signJwtTokenFailed(e.getMessage(), e);
        }
    }

    private boolean isRelaxKeyValidation() {
        return ((Boolean) JwtBuildUtils.getConfigProperty(JwtBuildUtils.SIGN_KEY_RELAX_VALIDATION_PROPERTY, Boolean.class, false)).booleanValue();
    }

    private String getConfiguredSignatureAlgorithm() {
        String str = (String) this.headers.get("alg");
        if (str == null) {
            try {
                str = (String) JwtBuildUtils.getConfigProperty(JwtBuildUtils.NEW_TOKEN_SIGNATURE_ALG_PROPERTY, String.class);
                if (str != null) {
                    str = SignatureAlgorithm.fromAlgorithm(str).getAlgorithm();
                    this.headers.put("alg", str);
                }
            } catch (Exception e) {
                throw ImplMessages.msg.unsupportedSignatureAlgorithm(str, e);
            }
        }
        return str;
    }

    private String getSignatureAlgorithm(Key key) {
        String configuredSignatureAlgorithm = getConfiguredSignatureAlgorithm();
        if ("none".equals(configuredSignatureAlgorithm)) {
            throw ImplMessages.msg.noneSignatureAlgorithmUnsupported();
        }
        if (key instanceof RSAPrivateKey) {
            if (configuredSignatureAlgorithm == null) {
                return SignatureAlgorithm.RS256.name();
            }
            if (configuredSignatureAlgorithm.startsWith("RS") || configuredSignatureAlgorithm.startsWith("PS")) {
                return configuredSignatureAlgorithm;
            }
        } else if (key instanceof ECPrivateKey) {
            if (configuredSignatureAlgorithm == null) {
                return SignatureAlgorithm.ES256.name();
            }
            if (configuredSignatureAlgorithm.startsWith("ES")) {
                return configuredSignatureAlgorithm;
            }
        } else if (key instanceof SecretKey) {
            if (configuredSignatureAlgorithm == null) {
                return SignatureAlgorithm.HS256.name();
            }
            if (configuredSignatureAlgorithm.startsWith("HS")) {
                return configuredSignatureAlgorithm;
            }
        } else if (key instanceof PrivateKey) {
            if (isEdECPrivateKey(key) && (configuredSignatureAlgorithm == null || configuredSignatureAlgorithm.equals(SignatureAlgorithm.EDDSA.getAlgorithm()))) {
                return SignatureAlgorithm.EDDSA.getAlgorithm();
            }
            if (configuredSignatureAlgorithm == null) {
                return SignatureAlgorithm.RS256.name();
            }
            if (configuredSignatureAlgorithm.startsWith("RS") || configuredSignatureAlgorithm.startsWith("PS") || configuredSignatureAlgorithm.startsWith("ES")) {
                return configuredSignatureAlgorithm;
            }
        }
        throw ImplMessages.msg.unsupportedSignatureAlgorithm(key.getAlgorithm());
    }

    private static boolean isEdECPrivateKey(Key key) {
        return KeyUtils.isSupportedKey(key, ED_EC_PRIVATE_KEY_INTERFACE);
    }

    static String getKeyContentFromLocation(String str) {
        try {
            return KeyUtils.readKeyContent(str);
        } catch (Exception e) {
            throw ImplMessages.msg.signingKeyCanNotBeLoadedFromLocation(str, e);
        }
    }

    /* JADX WARN: Multi-variable type inference failed */
    /* JADX WARN: Type inference failed for: r0v22, types: [java.security.Key] */
    Key getSigningKeyFromKeyContent(String str) {
        SignatureAlgorithm fromAlgorithm;
        String str2 = (String) this.headers.get("kid");
        String configuredSignatureAlgorithm = getConfiguredSignatureAlgorithm();
        if (configuredSignatureAlgorithm == null) {
            fromAlgorithm = null;
        } else {
            try {
                fromAlgorithm = SignatureAlgorithm.fromAlgorithm(configuredSignatureAlgorithm);
            } catch (IllegalArgumentException e) {
                throw ImplMessages.msg.unsupportedSignatureAlgorithm(configuredSignatureAlgorithm, e);
            }
        }
        SignatureAlgorithm signatureAlgorithm = fromAlgorithm;
        PrivateKey tryAsPemSigningPrivateKey = KeyUtils.tryAsPemSigningPrivateKey(str, signatureAlgorithm == null ? SignatureAlgorithm.RS256 : signatureAlgorithm);
        if (tryAsPemSigningPrivateKey == null) {
            if (str2 == null) {
                str2 = (String) JwtBuildUtils.getConfigProperty(JwtBuildUtils.SIGN_KEY_ID_PROPERTY, String.class);
                if (str2 != null) {
                    this.headers.put("kid", str2);
                }
            }
            JsonWebKey jwkKeyFromJwkSet = KeyUtils.getJwkKeyFromJwkSet(str2, str);
            if (jwkKeyFromJwkSet != null) {
                tryAsPemSigningPrivateKey = KeyUtils.getPrivateOrSecretSigningKey(jwkKeyFromJwkSet, signatureAlgorithm);
                if (tryAsPemSigningPrivateKey != null) {
                    if (signatureAlgorithm == null && jwkKeyFromJwkSet.getAlgorithm() != null) {
                        this.headers.put("alg", jwkKeyFromJwkSet.getAlgorithm());
                    }
                    if (str2 == null && jwkKeyFromJwkSet.getKeyId() != null) {
                        this.headers.put("kid", jwkKeyFromJwkSet.getKeyId());
                    }
                }
            }
        } else {
            this.configuredPemKey = tryAsPemSigningPrivateKey;
        }
        return tryAsPemSigningPrivateKey;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public void removeJti() {
        this.claims.unsetClaim(Claims.jti.name());
    }
}
