package org.wildfly.security.http.oidc;

import java.io.FileInputStream;
import java.io.FileNotFoundException;
import java.io.InputStream;
import java.security.KeyPair;
import java.security.KeyStore;
import java.security.PrivateKey;
import java.security.PublicKey;
import java.security.interfaces.RSAPublicKey;
import java.util.Map;
import org.jose4j.jwk.PublicJsonWebKey;
import org.jose4j.jwk.RsaJsonWebKey;
import org.jose4j.jws.JsonWebSignature;
import org.jose4j.jwt.JwtClaims;
import org.jose4j.jwt.NumericDate;
import org.jose4j.lang.JoseException;
import org.keycloak.OAuth2Constants;
import org.keycloak.common.constants.GenericConstants;
import org.wildfly.security.http.oidc.Oidc;

/* JADX WARN: Classes with same name are omitted:
  input_file:WEB-INF/lib/wildfly-elytron-http-oidc-1.15.16.Final.jar:org/wildfly/security/http/oidc/JWTClientCredentialsProvider.class
 */
/* loaded from: input_file:WEB-INF/lib/wildfly-elytron-1.15.16.Final.jar:org/wildfly/security/http/oidc/JWTClientCredentialsProvider.class */
public class JWTClientCredentialsProvider implements ClientCredentialsProvider {
    private KeyPair keyPair;
    private PublicJsonWebKey publicKeyJwk;
    private int tokenTimeout;

    @Override // org.wildfly.security.http.oidc.ClientCredentialsProvider
    public String getId() {
        return Oidc.ClientCredentialsProviderType.JWT.getValue();
    }

    public void setupKeyPair(KeyPair keyPair) {
        this.keyPair = keyPair;
        if (!(keyPair.getPublic() instanceof RSAPublicKey)) {
            throw ElytronMessages.log.unsupportedPublicKey();
        }
        this.publicKeyJwk = new RsaJsonWebKey((RSAPublicKey) keyPair.getPublic());
    }

    public void setTokenTimeout(int i) {
        this.tokenTimeout = i;
    }

    protected int getTokenTimeout() {
        return this.tokenTimeout;
    }

    public PublicKey getPublicKey() {
        return this.keyPair.getPublic();
    }

    @Override // org.wildfly.security.http.oidc.ClientCredentialsProvider
    public void init(OidcClientConfiguration oidcClientConfiguration, Object obj) {
        if (!(obj instanceof Map)) {
            throw ElytronMessages.log.invalidJwtClientCredentialsConfig(oidcClientConfiguration.getResourceName());
        }
        Map map = (Map) obj;
        String str = (String) map.get("client-keystore-file");
        if (str == null) {
            throw ElytronMessages.log.missingParameterInJwtClientCredentialsConfig("client-keystore-file", oidcClientConfiguration.getResourceName());
        }
        String str2 = (String) map.get("client-keystore-type");
        if (str2 == null) {
            str = "JKS";
        }
        String str3 = (String) map.get("client-keystore-password");
        if (str3 == null) {
            throw ElytronMessages.log.missingParameterInJwtClientCredentialsConfig("client-keystore-password", oidcClientConfiguration.getResourceName());
        }
        String str4 = (String) map.get("client-key-password");
        if (str4 == null) {
            str4 = str3;
        }
        String str5 = (String) map.get("client-key-alias");
        if (str5 == null) {
            str5 = oidcClientConfiguration.getResourceName();
        }
        setupKeyPair(loadKeyPairFromKeyStore(str, str3, str4, str5, str2));
        this.tokenTimeout = Oidc.asInt(map, "token-timeout", 10).intValue();
    }

    @Override // org.wildfly.security.http.oidc.ClientCredentialsProvider
    public void setClientCredentials(OidcClientConfiguration oidcClientConfiguration, Map<String, String> map, Map<String, String> map2) {
        String createSignedRequestToken = createSignedRequestToken(oidcClientConfiguration.getResourceName(), oidcClientConfiguration.getTokenUrl());
        map2.put(OAuth2Constants.CLIENT_ASSERTION_TYPE, OAuth2Constants.CLIENT_ASSERTION_TYPE_JWT);
        map2.put(OAuth2Constants.CLIENT_ASSERTION, createSignedRequestToken);
    }

    public String createSignedRequestToken(String str, String str2) {
        JwtClaims createRequestToken = createRequestToken(str, str2);
        JsonWebSignature jsonWebSignature = new JsonWebSignature();
        jsonWebSignature.setKeyIdHeaderValue(this.publicKeyJwk.getKeyId());
        jsonWebSignature.setKey(this.keyPair.getPrivate());
        jsonWebSignature.setAlgorithmHeaderValue("RS256");
        jsonWebSignature.setPayload(createRequestToken.toJson());
        try {
            return jsonWebSignature.getCompactSerialization();
        } catch (JoseException e) {
            throw ElytronMessages.log.unableToCreateSignedToken();
        }
    }

    protected JwtClaims createRequestToken(String str, String str2) {
        JwtClaims jwtClaims = new JwtClaims();
        jwtClaims.setJwtId(Oidc.generateId());
        jwtClaims.setIssuer(str);
        jwtClaims.setSubject(str);
        jwtClaims.setAudience(str2);
        NumericDate now = NumericDate.now();
        jwtClaims.setIssuedAt(now);
        jwtClaims.setNotBefore(now);
        jwtClaims.setExpirationTime(NumericDate.fromSeconds(now.getValue() + this.tokenTimeout));
        return jwtClaims;
    }

    private static KeyPair loadKeyPairFromKeyStore(String str, String str2, String str3, String str4, String str5) {
        InputStream findFile = findFile(str);
        try {
            KeyStore keyStore = KeyStore.getInstance(str5);
            keyStore.load(findFile, str2.toCharArray());
            PrivateKey privateKey = (PrivateKey) keyStore.getKey(str4, str3.toCharArray());
            if (privateKey == null) {
                ElytronMessages.log.unableToLoadKeyWithAlias(str4);
            }
            return new KeyPair(keyStore.getCertificate(str4).getPublicKey(), privateKey);
        } catch (Exception e) {
            throw ElytronMessages.log.unableToLoadPrivateKey(e);
        }
    }

    private static InputStream findFile(String str) {
        if (!str.startsWith(GenericConstants.PROTOCOL_CLASSPATH)) {
            try {
                return new FileInputStream(str);
            } catch (FileNotFoundException e) {
                throw new RuntimeException(e);
            }
        }
        String replace = str.replace(GenericConstants.PROTOCOL_CLASSPATH, "");
        InputStream resourceAsStream = JWTClientCredentialsProvider.class.getClassLoader().getResourceAsStream(replace);
        if (resourceAsStream == null) {
            resourceAsStream = Thread.currentThread().getContextClassLoader().getResourceAsStream(replace);
        }
        if (resourceAsStream != null) {
            return resourceAsStream;
        }
        throw ElytronMessages.log.unableToFindKeystoreFile(str);
    }
}
