package io.smallrye.jwt.util;

import io.smallrye.jwt.algorithm.KeyEncryptionAlgorithm;
import io.smallrye.jwt.algorithm.SignatureAlgorithm;
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.io.StringReader;
import java.nio.charset.StandardCharsets;
import java.security.GeneralSecurityException;
import java.security.InvalidAlgorithmParameterException;
import java.security.Key;
import java.security.KeyFactory;
import java.security.KeyPair;
import java.security.KeyPairGenerator;
import java.security.NoSuchAlgorithmException;
import java.security.PrivateKey;
import java.security.PublicKey;
import java.security.SecureRandom;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.security.spec.PKCS8EncodedKeySpec;
import java.security.spec.X509EncodedKeySpec;
import java.util.ArrayList;
import java.util.Base64;
import java.util.Collections;
import java.util.EnumMap;
import java.util.List;
import javax.crypto.SecretKey;
import javax.crypto.spec.SecretKeySpec;
import javax.json.Json;
import javax.json.JsonArray;
import javax.json.JsonObject;
import javax.json.JsonReader;
import org.apache.commons.lang3.StringUtils;
import org.jose4j.json.JsonUtil;
import org.jose4j.jwk.JsonWebKey;
import org.jose4j.jwk.JsonWebKeySet;
import org.jose4j.jwk.OctetSequenceJsonWebKey;
import org.jose4j.jwk.PublicJsonWebKey;
import org.jose4j.keys.AesKey;
import org.jose4j.keys.HmacKey;

/* loaded from: input_file:io/smallrye/jwt/util/KeyUtils.class */
public final class KeyUtils {
    private static final String RSA = "RSA";
    private static final String EC = "EC";
    protected static final EnumMap<KeyEncryptionAlgorithm, Integer> KEY_ENCRYPTION_BITS = new EnumMap<>(KeyEncryptionAlgorithm.class);
    protected static final EnumMap<SignatureAlgorithm, Integer> SIGNATURE_ALGORITHM_BITS;

    private KeyUtils() {
    }

    public static PrivateKey readPrivateKey(String str) throws IOException, GeneralSecurityException {
        return readPrivateKey(str, SignatureAlgorithm.RS256);
    }

    public static PrivateKey readPrivateKey(String str, SignatureAlgorithm signatureAlgorithm) throws IOException, GeneralSecurityException {
        byte[] bArr = new byte[4096];
        return decodePrivateKey(new String(bArr, 0, ResourceUtils.getAsClasspathResource(str).read(bArr)), signatureAlgorithm);
    }

    public static PrivateKey readDecryptionPrivateKey(String str) throws IOException, GeneralSecurityException {
        return readDecryptionPrivateKey(str, KeyEncryptionAlgorithm.RSA_OAEP);
    }

    public static PrivateKey readDecryptionPrivateKey(String str, KeyEncryptionAlgorithm keyEncryptionAlgorithm) throws IOException, GeneralSecurityException {
        byte[] bArr = new byte[4096];
        return decodeDecryptionPrivateKey(new String(bArr, 0, ResourceUtils.getAsClasspathResource(str).read(bArr)), keyEncryptionAlgorithm);
    }

    public static PublicKey readPublicKey(String str) throws IOException, GeneralSecurityException {
        return readPublicKey(str, SignatureAlgorithm.RS256);
    }

    public static PublicKey readPublicKey(String str, SignatureAlgorithm signatureAlgorithm) throws IOException, GeneralSecurityException {
        byte[] bArr = new byte[4096];
        return decodePublicKey(new String(bArr, 0, ResourceUtils.getAsClasspathResource(str).read(bArr)), signatureAlgorithm);
    }

    public static PublicKey readEncryptionPublicKey(String str) throws IOException, GeneralSecurityException {
        return readEncryptionPublicKey(str, KeyEncryptionAlgorithm.RSA_OAEP);
    }

    public static PublicKey readEncryptionPublicKey(String str, KeyEncryptionAlgorithm keyEncryptionAlgorithm) throws IOException, GeneralSecurityException {
        byte[] bArr = new byte[4096];
        return decodeEncryptionPublicKey(new String(bArr, 0, ResourceUtils.getAsClasspathResource(str).read(bArr)), keyEncryptionAlgorithm);
    }

    public static KeyPair generateKeyPair(int i) throws NoSuchAlgorithmException {
        return generateKeyPair(i, SignatureAlgorithm.RS256);
    }

    public static KeyPair generateKeyPair(int i, SignatureAlgorithm signatureAlgorithm) throws NoSuchAlgorithmException {
        KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance(keyFactoryAlgorithm(signatureAlgorithm));
        keyPairGenerator.initialize(i);
        return keyPairGenerator.genKeyPair();
    }

    public static PrivateKey decodePrivateKey(String str) throws GeneralSecurityException {
        return decodePrivateKey(str, SignatureAlgorithm.RS256);
    }

    public static PrivateKey decodePrivateKey(String str, SignatureAlgorithm signatureAlgorithm) throws GeneralSecurityException {
        return decodePrivateKeyInternal(str, keyFactoryAlgorithm(signatureAlgorithm));
    }

    public static PrivateKey decodeDecryptionPrivateKey(String str) throws GeneralSecurityException {
        return decodePrivateKeyInternal(str, "RSA");
    }

    public static PrivateKey decodeDecryptionPrivateKey(String str, KeyEncryptionAlgorithm keyEncryptionAlgorithm) throws GeneralSecurityException {
        return decodePrivateKeyInternal(str, encryptionKeyFactoryAlgorithm(keyEncryptionAlgorithm));
    }

    static PrivateKey decodePrivateKeyInternal(String str, String str2) throws GeneralSecurityException {
        return KeyFactory.getInstance(str2).generatePrivate(new PKCS8EncodedKeySpec(Base64.getDecoder().decode(removePemKeyBeginEnd(str))));
    }

    public static PublicKey decodePublicKey(String str) throws GeneralSecurityException {
        return decodePublicKey(str, SignatureAlgorithm.RS256);
    }

    public static SecretKey createSecretKeyFromSecret(String str) {
        return new SecretKeySpec(str.getBytes(StandardCharsets.UTF_8), AesKey.ALGORITHM);
    }

    public static SecretKey generateSecretKey(KeyEncryptionAlgorithm keyEncryptionAlgorithm) throws InvalidAlgorithmParameterException {
        if (!KEY_ENCRYPTION_BITS.containsKey(keyEncryptionAlgorithm)) {
            throw JWTUtilMessages.msg.requiresSymmetricAlgo(keyEncryptionAlgorithm.name());
        }
        byte[] bArr = new byte[KEY_ENCRYPTION_BITS.get(keyEncryptionAlgorithm).intValue() / 8];
        new SecureRandom().nextBytes(bArr);
        return new SecretKeySpec(bArr, AesKey.ALGORITHM);
    }

    public static SecretKey generateSecretKey(SignatureAlgorithm signatureAlgorithm) throws InvalidAlgorithmParameterException {
        if (!SIGNATURE_ALGORITHM_BITS.containsKey(signatureAlgorithm)) {
            throw JWTUtilMessages.msg.requiresSymmetricAlgo(signatureAlgorithm.name());
        }
        byte[] bArr = new byte[SIGNATURE_ALGORITHM_BITS.get(signatureAlgorithm).intValue() / 8];
        new SecureRandom().nextBytes(bArr);
        return new SecretKeySpec(bArr, HmacKey.ALGORITHM);
    }

    public static PublicKey decodePublicKey(String str, SignatureAlgorithm signatureAlgorithm) throws GeneralSecurityException {
        return KeyFactory.getInstance(keyFactoryAlgorithm(signatureAlgorithm)).generatePublic(new X509EncodedKeySpec(Base64.getDecoder().decode(removePemKeyBeginEnd(str))));
    }

    public static PublicKey decodeEncryptionPublicKey(String str, KeyEncryptionAlgorithm keyEncryptionAlgorithm) throws GeneralSecurityException {
        return KeyFactory.getInstance(encryptionKeyFactoryAlgorithm(keyEncryptionAlgorithm)).generatePublic(new X509EncodedKeySpec(Base64.getDecoder().decode(removePemKeyBeginEnd(str))));
    }

    static String keyFactoryAlgorithm(SignatureAlgorithm signatureAlgorithm) throws NoSuchAlgorithmException {
        if (signatureAlgorithm.name().startsWith("RS") || signatureAlgorithm.name().startsWith("PS")) {
            return "RSA";
        }
        if (signatureAlgorithm.name().startsWith("ES")) {
            return "EC";
        }
        throw JWTUtilMessages.msg.unsupportedAlgorithm(signatureAlgorithm.name());
    }

    static String encryptionKeyFactoryAlgorithm(KeyEncryptionAlgorithm keyEncryptionAlgorithm) throws NoSuchAlgorithmException {
        if (keyEncryptionAlgorithm.name().startsWith("RS")) {
            return "RSA";
        }
        if (keyEncryptionAlgorithm.name().startsWith("EC")) {
            return "EC";
        }
        throw JWTUtilMessages.msg.unsupportedAlgorithm(keyEncryptionAlgorithm.name());
    }

    public static PublicKey decodeCertificate(String str) throws GeneralSecurityException {
        return getCertificate(str).getPublicKey();
    }

    public static X509Certificate getCertificate(String str) throws GeneralSecurityException {
        return (X509Certificate) CertificateFactory.getInstance("X.509").generateCertificate(new ByteArrayInputStream(Base64.getDecoder().decode(removeCertBeginEnd(str))));
    }

    public static String removePemKeyBeginEnd(String str) {
        return str.replaceAll("-----BEGIN(.*?)KEY-----", "").replaceAll("-----END(.*?)KEY-----", "").replaceAll("\r\n", "").replaceAll(StringUtils.LF, "").replaceAll("\\\\n", "").trim();
    }

    private static String removeCertBeginEnd(String str) {
        return str.replaceAll("-----BEGIN(.*?)CERTIFICATE-----", "").replaceAll("-----END(.*?)CERTIFICATE-----", "").replaceAll("\r\n", "").replaceAll(StringUtils.LF, "").replaceAll("\\\\n", "").trim();
    }

    public static String readKeyContent(String str) throws IOException {
        String readResource = ResourceUtils.readResource(str);
        if (readResource == null) {
            throw JWTUtilMessages.msg.keyNotFound(str);
        }
        return readResource;
    }

    public static PrivateKey tryAsPemSigningPrivateKey(String str, SignatureAlgorithm signatureAlgorithm) {
        JWTUtilLogging.log.creatingKeyFromPemKey();
        try {
            return decodePrivateKey(str, signatureAlgorithm);
        } catch (Exception e) {
            JWTUtilLogging.log.creatingKeyFromPemKeyFailed(e);
            return null;
        }
    }

    public static PublicKey tryAsPemEncryptionPublicKey(String str, KeyEncryptionAlgorithm keyEncryptionAlgorithm) {
        JWTUtilLogging.log.creatingKeyFromPemKey();
        try {
            return decodeEncryptionPublicKey(str, keyEncryptionAlgorithm);
        } catch (Exception e) {
            JWTUtilLogging.log.creatingKeyFromPemKeyFailed(e);
            return null;
        }
    }

    static PublicKey tryAsPEMCertificate(String str) {
        JWTUtilLogging.log.creatingKeyFromPemCertificate();
        try {
            return decodeCertificate(str);
        } catch (Exception e) {
            JWTUtilLogging.log.creatingKeyFromPemCertificateFailed(e);
            return null;
        }
    }

    public static List<JsonWebKey> loadJsonWebKeys(String str) {
        List<JsonWebKey> singletonList;
        JWTUtilLogging.log.loadingJwks();
        try {
            JsonReader createReader = Json.createReader(new StringReader(str));
            Throwable th = null;
            try {
                try {
                    JsonObject readObject = createReader.readObject();
                    if (createReader != null) {
                        if (0 != 0) {
                            try {
                                createReader.close();
                            } catch (Throwable th2) {
                                th.addSuppressed(th2);
                            }
                        } else {
                            createReader.close();
                        }
                    }
                    JsonArray jsonArray = readObject.getJsonArray(JsonWebKeySet.JWK_SET_MEMBER_NAME);
                    try {
                        if (jsonArray != null) {
                            singletonList = new ArrayList(jsonArray.size());
                            for (int i = 0; i < jsonArray.size(); i++) {
                                singletonList.add(createJsonWebKey(jsonArray.getJsonObject(i)));
                            }
                        } else {
                            singletonList = Collections.singletonList(createJsonWebKey(readObject));
                        }
                        return singletonList;
                    } catch (Exception e) {
                        JWTUtilLogging.log.parsingJwksFailed();
                        return null;
                    }
                } finally {
                }
            } finally {
            }
        } catch (Exception e2) {
            JWTUtilLogging.log.loadingJwksFailed(e2);
            return null;
        }
    }

    static JsonWebKey createJsonWebKey(JsonObject jsonObject) throws Exception {
        return JsonWebKey.Factory.newJwk(JsonUtil.parseJson(jsonObject.toString()));
    }

    public static Key readEncryptionKey(String str, String str2) throws IOException {
        return readEncryptionKey(str, str2, KeyEncryptionAlgorithm.RSA_OAEP_256);
    }

    /* JADX WARN: Multi-variable type inference failed */
    /* JADX WARN: Type inference failed for: r0v11, types: [java.security.Key] */
    public static Key readEncryptionKey(String str, String str2, KeyEncryptionAlgorithm keyEncryptionAlgorithm) throws IOException {
        JsonWebKey jwkKeyFromJwkSet;
        String readKeyContent = readKeyContent(str);
        PublicKey tryAsPemEncryptionPublicKey = tryAsPemEncryptionPublicKey(readKeyContent, keyEncryptionAlgorithm);
        if (tryAsPemEncryptionPublicKey == null) {
            tryAsPemEncryptionPublicKey = tryAsPEMCertificate(readKeyContent);
        }
        if (tryAsPemEncryptionPublicKey == null && (jwkKeyFromJwkSet = getJwkKeyFromJwkSet(str2, readKeyContent)) != null) {
            tryAsPemEncryptionPublicKey = getPublicOrSecretEncryptingKey(jwkKeyFromJwkSet, keyEncryptionAlgorithm);
        }
        return tryAsPemEncryptionPublicKey;
    }

    public static Key getPublicOrSecretEncryptingKey(JsonWebKey jsonWebKey, KeyEncryptionAlgorithm keyEncryptionAlgorithm) {
        if (keyEncryptionAlgorithm != null && jsonWebKey.getAlgorithm() != null && !jsonWebKey.getAlgorithm().equals(keyEncryptionAlgorithm.getAlgorithm())) {
            return null;
        }
        List<String> keyOps = jsonWebKey.getKeyOps();
        if (keyOps == null || keyOps.contains("encryption")) {
            return OctetSequenceJsonWebKey.KEY_TYPE.equals(jsonWebKey.getKeyType()) ? ((OctetSequenceJsonWebKey) OctetSequenceJsonWebKey.class.cast(jsonWebKey)).getKey() : ((PublicJsonWebKey) PublicJsonWebKey.class.cast(jsonWebKey)).getPublicKey();
        }
        return null;
    }

    public static Key readSigningKey(String str, String str2) throws IOException {
        return readSigningKey(str, str2, SignatureAlgorithm.RS256);
    }

    /* JADX WARN: Multi-variable type inference failed */
    /* JADX WARN: Type inference failed for: r0v10, types: [java.security.Key] */
    public static Key readSigningKey(String str, String str2, SignatureAlgorithm signatureAlgorithm) throws IOException {
        JsonWebKey jwkKeyFromJwkSet;
        String readKeyContent = readKeyContent(str);
        PrivateKey tryAsPemSigningPrivateKey = tryAsPemSigningPrivateKey(readKeyContent, signatureAlgorithm);
        if (tryAsPemSigningPrivateKey == null && (jwkKeyFromJwkSet = getJwkKeyFromJwkSet(str2, readKeyContent)) != null) {
            tryAsPemSigningPrivateKey = getPrivateOrSecretSigningKey(jwkKeyFromJwkSet, signatureAlgorithm);
        }
        return tryAsPemSigningPrivateKey;
    }

    public static JsonWebKey getJwkKeyFromJwkSet(String str, String str2) {
        List<JsonWebKey> loadJsonWebKeys = loadJsonWebKeys(str2);
        if (loadJsonWebKeys == null) {
            return null;
        }
        if (str != null) {
            for (JsonWebKey jsonWebKey : loadJsonWebKeys) {
                if (str.equals(jsonWebKey.getKeyId())) {
                    return jsonWebKey;
                }
            }
        }
        if (loadJsonWebKeys.size() != 1) {
            return null;
        }
        if (str == null || loadJsonWebKeys.get(0).getKeyId() == null) {
            return loadJsonWebKeys.get(0);
        }
        return null;
    }

    public static Key getPrivateOrSecretSigningKey(JsonWebKey jsonWebKey, SignatureAlgorithm signatureAlgorithm) {
        if (signatureAlgorithm != null && jsonWebKey.getAlgorithm() != null && !jsonWebKey.getAlgorithm().equals(signatureAlgorithm.getAlgorithm())) {
            return null;
        }
        List<String> keyOps = jsonWebKey.getKeyOps();
        if (keyOps == null || keyOps.contains("sign")) {
            return OctetSequenceJsonWebKey.KEY_TYPE.equals(jsonWebKey.getKeyType()) ? ((OctetSequenceJsonWebKey) OctetSequenceJsonWebKey.class.cast(jsonWebKey)).getKey() : ((PublicJsonWebKey) PublicJsonWebKey.class.cast(jsonWebKey)).getPrivateKey();
        }
        return null;
    }

    static {
        KEY_ENCRYPTION_BITS.put((EnumMap<KeyEncryptionAlgorithm, Integer>) KeyEncryptionAlgorithm.A128KW, (KeyEncryptionAlgorithm) 128);
        KEY_ENCRYPTION_BITS.put((EnumMap<KeyEncryptionAlgorithm, Integer>) KeyEncryptionAlgorithm.A192KW, (KeyEncryptionAlgorithm) 192);
        KEY_ENCRYPTION_BITS.put((EnumMap<KeyEncryptionAlgorithm, Integer>) KeyEncryptionAlgorithm.A256KW, (KeyEncryptionAlgorithm) 256);
        SIGNATURE_ALGORITHM_BITS = new EnumMap<>(SignatureAlgorithm.class);
        SIGNATURE_ALGORITHM_BITS.put((EnumMap<SignatureAlgorithm, Integer>) SignatureAlgorithm.HS256, (SignatureAlgorithm) 256);
        SIGNATURE_ALGORITHM_BITS.put((EnumMap<SignatureAlgorithm, Integer>) SignatureAlgorithm.HS384, (SignatureAlgorithm) 384);
        SIGNATURE_ALGORITHM_BITS.put((EnumMap<SignatureAlgorithm, Integer>) SignatureAlgorithm.HS512, (SignatureAlgorithm) 512);
    }
}
