package io.smallrye.jwt.auth.principal;

import io.smallrye.jwt.KeyUtils;
import io.smallrye.jwt.algorithm.SignatureAlgorithm;
import java.io.BufferedReader;
import java.io.FileInputStream;
import java.io.FileNotFoundException;
import java.io.IOException;
import java.io.InputStream;
import java.io.InputStreamReader;
import java.io.StringReader;
import java.io.StringWriter;
import java.net.URL;
import java.nio.charset.StandardCharsets;
import java.security.Key;
import java.security.PublicKey;
import java.util.ArrayList;
import java.util.Base64;
import java.util.Collections;
import java.util.List;
import javax.json.Json;
import javax.json.JsonArray;
import javax.json.JsonObject;
import javax.json.JsonReader;
import org.jboss.logging.Logger;
import org.jose4j.json.JsonUtil;
import org.jose4j.jwk.HttpsJwks;
import org.jose4j.jwk.JsonWebKey;
import org.jose4j.jwk.JsonWebKeySet;
import org.jose4j.jwk.PublicJsonWebKey;
import org.jose4j.jws.JsonWebSignature;
import org.jose4j.jwx.JsonWebStructure;
import org.jose4j.keys.resolvers.VerificationKeyResolver;
import org.jose4j.lang.JoseException;
import org.jose4j.lang.UnresolvableKeyException;

/* loaded from: input_file:wildfly.zip:modules/system/layers/base/io/smallrye/jwt/main/smallrye-jwt-2.0.13.jar:io/smallrye/jwt/auth/principal/KeyLocationResolver.class */
public class KeyLocationResolver implements VerificationKeyResolver {
    private static final Logger LOGGER = Logger.getLogger((Class<?>) KeyLocationResolver.class);
    private static final String HTTPS_SCHEME = "https:";
    private static final String HTTP_BASED_SCHEME = "http";
    private static final String CLASSPATH_SCHEME = "classpath:";
    private static final String FILE_SCHEME = "file:";
    PublicKey verificationKey;
    private List<JsonWebKey> jsonWebKeys;
    private HttpsJwks httpsJwks;
    private JWTAuthContextInfo authContextInfo;

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:wildfly.zip:modules/system/layers/base/io/smallrye/jwt/main/smallrye-jwt-2.0.13.jar:io/smallrye/jwt/auth/principal/KeyLocationResolver$UrlStreamResolver.class */
    public static class UrlStreamResolver {
        UrlStreamResolver() {
        }

        public InputStream resolve(String str) throws IOException {
            return new URL(str).openStream();
        }
    }

    public KeyLocationResolver(JWTAuthContextInfo jWTAuthContextInfo) throws UnresolvableKeyException {
        this.authContextInfo = jWTAuthContextInfo;
        try {
            initializeKeyContent();
        } catch (Exception e) {
            throw new UnresolvableKeyException("Failed to load a key from " + (jWTAuthContextInfo.getPublicKeyContent() != null ? " the 'mp.jwt.verify.publickey' property" : jWTAuthContextInfo.getPublicKeyLocation()), e);
        }
    }

    @Override // org.jose4j.keys.resolvers.VerificationKeyResolver
    public Key resolveKey(JsonWebSignature jsonWebSignature, List<JsonWebStructure> list) throws UnresolvableKeyException {
        verifyKid(jsonWebSignature, this.authContextInfo.getTokenKeyId());
        if (this.verificationKey != null) {
            return this.verificationKey;
        }
        PublicKey tryAsJwk = tryAsJwk(jsonWebSignature);
        if (tryAsJwk == null) {
            throw new UnresolvableKeyException("Failed to load a key from " + (this.authContextInfo.getPublicKeyContent() != null ? " the 'mp.jwt.verify.publickey' property" : this.authContextInfo.getPublicKeyLocation()));
        }
        return tryAsJwk;
    }

    private PublicKey tryAsJwk(JsonWebSignature jsonWebSignature) throws UnresolvableKeyException {
        String kid = getKid(jsonWebSignature);
        if (this.httpsJwks != null) {
            return getHttpsJwk(kid);
        }
        if (this.jsonWebKeys != null) {
            return getJsonWebKey(kid);
        }
        return null;
    }

    PublicKey getHttpsJwk(String str) {
        LOGGER.debugf("Trying to create a key from the HTTPS JWK(S)...", new Object[0]);
        try {
            return getKeyFromJsonWebKeys(str, this.httpsJwks.getJsonWebKeys(), this.authContextInfo.getSignatureAlgorithm());
        } catch (Exception e) {
            LOGGER.debug("Failed to create a key from the HTTPS JWK(S)", e);
            return null;
        }
    }

    PublicKey getJsonWebKey(String str) {
        LOGGER.debugf("Trying the create a key from the JWK(S)...", new Object[0]);
        try {
            return getKeyFromJsonWebKeys(str, this.jsonWebKeys, this.authContextInfo.getSignatureAlgorithm());
        } catch (Exception e) {
            LOGGER.debug("Failed to create a key from the JWK(S)", e);
            return null;
        }
    }

    private static void verifyKid(JsonWebSignature jsonWebSignature, String str) throws UnresolvableKeyException {
        String kid;
        if (str == null || (kid = getKid(jsonWebSignature)) == null || kid.equals(str)) {
            return;
        }
        LOGGER.debugf("Invalid token 'kid' header: %s, expected: %s", kid, str);
        throw new UnresolvableKeyException("Invalid token 'kid' header");
    }

    private static String getKid(JsonWebSignature jsonWebSignature) throws UnresolvableKeyException {
        return jsonWebSignature.getHeaders().getStringHeaderValue("kid");
    }

    protected void initializeKeyContent() throws Exception {
        if (this.authContextInfo.getPublicKeyLocation() != null && this.authContextInfo.getPublicKeyLocation().startsWith(HTTPS_SCHEME)) {
            LOGGER.debugf("Trying to load the keys from the HTTPS JWK(S)...", new Object[0]);
            this.httpsJwks = initializeHttpsJwks();
            this.httpsJwks.setDefaultCacheDuration(this.authContextInfo.getJwksRefreshInterval().longValue() * 60);
            try {
                this.httpsJwks.refresh();
                return;
            } catch (JoseException e) {
            }
        }
        String publicKeyContent = this.authContextInfo.getPublicKeyContent() != null ? this.authContextInfo.getPublicKeyContent() : readKeyContent(this.authContextInfo.getPublicKeyLocation());
        this.verificationKey = tryAsPEMPublicKey(publicKeyContent, this.authContextInfo.getSignatureAlgorithm());
        if (this.verificationKey == null) {
            this.verificationKey = tryAsPEMCertificate(publicKeyContent);
        }
        if (this.verificationKey == null) {
            LOGGER.debugf("Checking if the key content is a JWK key or JWK key set", new Object[0]);
            tryJWKContent(publicKeyContent, false);
        }
        if (this.verificationKey == null && this.jsonWebKeys == null) {
            try {
                LOGGER.debugf("Checking if the key content is a Base64URL encoded JWK key or JWK key set", new Object[0]);
                tryJWKContent(new String(Base64.getUrlDecoder().decode(publicKeyContent.getBytes(StandardCharsets.UTF_8)), StandardCharsets.UTF_8), true);
            } catch (IllegalArgumentException e2) {
                LOGGER.debug("Unable to decode content using Base64 decoder", e2);
            }
        }
    }

    private void tryJWKContent(String str, boolean z) {
        this.jsonWebKeys = loadJsonWebKeys(str);
        if (this.jsonWebKeys == null || this.authContextInfo.getTokenKeyId() == null) {
            return;
        }
        this.verificationKey = getJsonWebKey(this.authContextInfo.getTokenKeyId());
        if (this.verificationKey != null) {
            LOGGER.debugf("PublicKey has been created from" + (z ? " the encoded " : " ") + "JWK key or JWK key set", new Object[0]);
        }
    }

    protected HttpsJwks initializeHttpsJwks() {
        return new HttpsJwks(this.authContextInfo.getPublicKeyLocation());
    }

    protected String readKeyContent(String str) throws IOException {
        InputStream asFileSystemResource;
        if (str.startsWith("http")) {
            asFileSystemResource = getUrlResolver().resolve(str);
        } else if (str.startsWith(FILE_SCHEME)) {
            asFileSystemResource = getAsFileSystemResource(str.substring(FILE_SCHEME.length()));
        } else if (str.startsWith(CLASSPATH_SCHEME)) {
            asFileSystemResource = getAsClasspathResource(str.substring(CLASSPATH_SCHEME.length()));
        } else {
            asFileSystemResource = getAsFileSystemResource(str);
            if (asFileSystemResource == null) {
                asFileSystemResource = getAsClasspathResource(str);
            }
            if (asFileSystemResource == null) {
                asFileSystemResource = getUrlResolver().resolve(str);
            }
        }
        if (asFileSystemResource == null) {
            throw new IOException("No resource with the named " + str + " location exists");
        }
        StringWriter stringWriter = new StringWriter();
        BufferedReader bufferedReader = new BufferedReader(new InputStreamReader(asFileSystemResource));
        Throwable th = null;
        while (true) {
            try {
                try {
                    String readLine = bufferedReader.readLine();
                    if (readLine == null) {
                        break;
                    }
                    stringWriter.write(readLine);
                } finally {
                }
            } catch (Throwable th2) {
                if (bufferedReader != null) {
                    if (th != null) {
                        try {
                            bufferedReader.close();
                        } catch (Throwable th3) {
                            th.addSuppressed(th3);
                        }
                    } else {
                        bufferedReader.close();
                    }
                }
                throw th2;
            }
        }
        if (bufferedReader != null) {
            if (0 != 0) {
                try {
                    bufferedReader.close();
                } catch (Throwable th4) {
                    th.addSuppressed(th4);
                }
            } else {
                bufferedReader.close();
            }
        }
        return stringWriter.toString();
    }

    protected UrlStreamResolver getUrlResolver() {
        return new UrlStreamResolver();
    }

    static PublicKey tryAsPEMPublicKey(String str, SignatureAlgorithm signatureAlgorithm) {
        LOGGER.debugf("Checking if the key content is a Base64 encoded PEM key", new Object[0]);
        PublicKey publicKey = null;
        try {
            publicKey = KeyUtils.decodePublicKey(str, signatureAlgorithm);
            LOGGER.debug("PublicKey has been created from the encoded PEM key");
        } catch (Exception e) {
            LOGGER.debug("The key content is not a valid encoded PEM key", e);
        }
        return publicKey;
    }

    static PublicKey tryAsPEMCertificate(String str) {
        LOGGER.debugf("Checking if the key content is a Base64 encoded PEM certificate", new Object[0]);
        PublicKey publicKey = null;
        try {
            publicKey = KeyUtils.decodeCertificate(str);
            LOGGER.debug("PublicKey has been created from the encoded PEM certificate");
        } catch (Exception e) {
            LOGGER.debug("The key content is not a valid encoded PEM certificate", e);
        }
        return publicKey;
    }

    static List<JsonWebKey> loadJsonWebKeys(String str) {
        List<JsonWebKey> singletonList;
        LOGGER.debugf("Trying to load the local JWK(S)...", new Object[0]);
        try {
            JsonReader createReader = Json.createReader(new StringReader(str));
            Throwable th = null;
            try {
                JsonObject readObject = createReader.readObject();
                if (createReader != null) {
                    if (0 != 0) {
                        try {
                            createReader.close();
                        } catch (Throwable th2) {
                            th.addSuppressed(th2);
                        }
                    } else {
                        createReader.close();
                    }
                }
                JsonArray jsonArray = readObject.getJsonArray(JsonWebKeySet.JWK_SET_MEMBER_NAME);
                try {
                    if (jsonArray != null) {
                        singletonList = new ArrayList(jsonArray.size());
                        for (int i = 0; i < jsonArray.size(); i++) {
                            singletonList.add(createJsonWebKey(jsonArray.getJsonObject(i)));
                        }
                    } else {
                        singletonList = Collections.singletonList(createJsonWebKey(readObject));
                    }
                    return singletonList;
                } catch (Exception e) {
                    LOGGER.debug("Failed to parse the JWK JSON representation");
                    return null;
                }
            } finally {
            }
        } catch (Exception e2) {
            LOGGER.debug("Failed to load the JWK(S)");
            return null;
        }
    }

    static PublicKey getKeyFromJsonWebKeys(String str, List<JsonWebKey> list, SignatureAlgorithm signatureAlgorithm) {
        if (str != null) {
            for (JsonWebKey jsonWebKey : list) {
                if (str.equals(jsonWebKey.getKeyId()) && (jsonWebKey.getAlgorithm() == null || signatureAlgorithm.getAlgorithm().equals(jsonWebKey.getAlgorithm()))) {
                    return ((PublicJsonWebKey) PublicJsonWebKey.class.cast(jsonWebKey)).getPublicKey();
                }
            }
        }
        if (list.size() != 1) {
            return null;
        }
        if (str != null && list.get(0).getKeyId() != null) {
            return null;
        }
        if (list.get(0).getAlgorithm() == null || signatureAlgorithm.getAlgorithm().equals(list.get(0).getAlgorithm())) {
            return ((PublicJsonWebKey) PublicJsonWebKey.class.cast(list.get(0))).getPublicKey();
        }
        return null;
    }

    static JsonWebKey createJsonWebKey(JsonObject jsonObject) throws Exception {
        return JsonWebKey.Factory.newJwk(JsonUtil.parseJson(jsonObject.toString()));
    }

    static InputStream getAsFileSystemResource(String str) throws IOException {
        try {
            return new FileInputStream(str);
        } catch (FileNotFoundException e) {
            return null;
        }
    }

    static InputStream getAsClasspathResource(String str) {
        return Thread.currentThread().getContextClassLoader().getResourceAsStream(str);
    }
}
