package org.apache.cxf.rs.security.jose.jws;

import java.security.PrivateKey;
import java.util.Collections;
import java.util.Iterator;
import java.util.LinkedHashSet;
import java.util.LinkedList;
import java.util.List;
import java.util.logging.Logger;
import org.apache.batik.util.XMLConstants;
import org.apache.cxf.common.logging.LogUtils;
import org.apache.cxf.common.util.Base64UrlUtility;
import org.apache.cxf.common.util.StringUtils;
import org.apache.cxf.jaxrs.json.basic.JsonMapObjectReaderWriter;
import org.apache.cxf.rs.security.jose.common.JoseConstants;
import org.apache.cxf.rs.security.jose.common.JoseHeaders;
import org.apache.cxf.rs.security.jose.jwa.SignatureAlgorithm;
import org.apache.cxf.rs.security.jose.jwk.JsonWebKey;
import org.apache.cxf.rs.security.jose.jws.JwsException;
import org.springframework.beans.PropertyAccessor;

/* loaded from: input_file:META-INF/repository/fuse-eap-distro-6.3.0.redhat-298.zip:modules/system/layers/fuse/org/apache/cxf/3.1/cxf-rt-rs-security-jose-3.1.5.redhat-630298.jar:org/apache/cxf/rs/security/jose/jws/JwsJsonProducer.class */
public class JwsJsonProducer {
    protected static final Logger LOG = LogUtils.getL7dLogger(JwsJsonProducer.class);
    private boolean supportFlattened;
    private String plainPayload;
    private String encodedPayload;
    private List<JwsJsonSignatureEntry> signatures;
    private JsonMapObjectReaderWriter writer;

    public JwsJsonProducer(String str) {
        this(str, false);
    }

    public JwsJsonProducer(String str, boolean z) {
        this.signatures = new LinkedList();
        this.writer = new JsonMapObjectReaderWriter();
        this.supportFlattened = z;
        this.plainPayload = str;
    }

    public String getPlainPayload() {
        return this.plainPayload;
    }

    public String getUnsignedEncodedPayload() {
        if (this.encodedPayload == null) {
            this.encodedPayload = Base64UrlUtility.encode(getPlainPayload());
        }
        return this.encodedPayload;
    }

    public String getJwsJsonSignedDocument() {
        return getJwsJsonSignedDocument(false);
    }

    public String getJwsJsonSignedDocument(boolean z) {
        if (this.signatures.isEmpty()) {
            return null;
        }
        Boolean validateB64Status = validateB64Status(this.signatures);
        StringBuilder sb = new StringBuilder();
        sb.append("{");
        if (!z) {
            sb.append("\"payload\":\"" + getActualPayload(validateB64Status) + XMLConstants.XML_DOUBLE_QUOTE);
            sb.append(",");
        }
        if (!this.supportFlattened || this.signatures.size() > 1) {
            sb.append("\"signatures\":[");
            for (int i = 0; i < this.signatures.size(); i++) {
                JwsJsonSignatureEntry jwsJsonSignatureEntry = this.signatures.get(i);
                if (i > 0) {
                    sb.append(",");
                }
                sb.append(jwsJsonSignatureEntry.toJson());
            }
            sb.append(PropertyAccessor.PROPERTY_KEY_SUFFIX);
        } else {
            sb.append(this.signatures.get(0).toJson(true));
        }
        sb.append("}");
        return sb.toString();
    }

    public List<JwsJsonSignatureEntry> getSignatureEntries() {
        return this.signatures;
    }

    public String signWith(List<JwsSignatureProvider> list) {
        Iterator<JwsSignatureProvider> it = list.iterator();
        while (it.hasNext()) {
            signWith(it.next());
        }
        return getJwsJsonSignedDocument();
    }

    public String signWith(JwsSignatureProvider jwsSignatureProvider) {
        JwsHeaders jwsHeaders = new JwsHeaders();
        jwsHeaders.setSignatureAlgorithm(jwsSignatureProvider.getAlgorithm());
        return signWith(jwsSignatureProvider, jwsHeaders);
    }

    public String signWith(JwsSignatureProvider jwsSignatureProvider, JwsHeaders jwsHeaders) {
        return signWith(jwsSignatureProvider, jwsHeaders, null);
    }

    public String signWith(JsonWebKey jsonWebKey) {
        return signWith(JwsUtils.getSignatureProvider(jsonWebKey));
    }

    public String signWith(PrivateKey privateKey, SignatureAlgorithm signatureAlgorithm) {
        return signWith(JwsUtils.getPrivateKeySignatureProvider(privateKey, signatureAlgorithm));
    }

    public String signWith(byte[] bArr, SignatureAlgorithm signatureAlgorithm) {
        return signWith(JwsUtils.getHmacSignatureProvider(bArr, signatureAlgorithm));
    }

    public String signWith(JwsSignatureProvider jwsSignatureProvider, JwsHeaders jwsHeaders, JwsHeaders jwsHeaders2) {
        JwsHeaders jwsHeaders3 = new JwsHeaders();
        if (jwsHeaders != null) {
            jwsHeaders3.asMap().putAll(jwsHeaders.asMap());
        }
        if (jwsHeaders2 != null) {
            checkUnprotectedHeaders(jwsHeaders2, JoseConstants.HEADER_CRITICAL, JoseConstants.JWS_HEADER_B64_STATUS_HEADER);
            if (!Collections.disjoint(jwsHeaders3.asMap().keySet(), jwsHeaders2.asMap().keySet())) {
                LOG.warning("Protected and unprotected headers have duplicate values");
                throw new JwsException(JwsException.Error.INVALID_JSON_JWS);
            }
            jwsHeaders3.asMap().putAll(jwsHeaders2.asMap());
        }
        if (jwsHeaders3.getSignatureAlgorithm() == null) {
            LOG.warning("Algorithm header is not set");
            throw new JwsException(JwsException.Error.INVALID_JSON_JWS);
        }
        String actualPayload = jwsHeaders != null ? getActualPayload(jwsHeaders.getPayloadEncodingStatus()) : getUnsignedEncodedPayload();
        String encode = Base64UrlUtility.encode(jwsSignatureProvider.sign(jwsHeaders3, StringUtils.toBytesUTF8(jwsHeaders != null ? Base64UrlUtility.encode(this.writer.toJson(jwsHeaders)) + "." + actualPayload : "." + getUnsignedEncodedPayload())));
        return updateJwsJsonSignedDocument(jwsHeaders != null ? new JwsJsonSignatureEntry(actualPayload, Base64UrlUtility.encode(this.writer.toJson(jwsHeaders)), encode, jwsHeaders2) : new JwsJsonSignatureEntry(getUnsignedEncodedPayload(), null, encode, jwsHeaders2));
    }

    private String getActualPayload(Boolean bool) {
        return Boolean.FALSE == bool ? getPlainPayload() : getUnsignedEncodedPayload();
    }

    private String updateJwsJsonSignedDocument(JwsJsonSignatureEntry jwsJsonSignatureEntry) {
        this.signatures.add(jwsJsonSignatureEntry);
        return getJwsJsonSignedDocument();
    }

    private static void checkUnprotectedHeaders(JoseHeaders joseHeaders, String... strArr) {
        for (String str : strArr) {
            if (joseHeaders.containsHeader(str)) {
                LOG.warning("Unprotected headers contain a header \"" + str + "\" which must be protected");
                throw new JwsException(JwsException.Error.INVALID_JSON_JWS);
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static Boolean validateB64Status(List<JwsJsonSignatureEntry> list) {
        LinkedHashSet linkedHashSet = new LinkedHashSet();
        Iterator<JwsJsonSignatureEntry> it = list.iterator();
        while (it.hasNext()) {
            JwsHeaders protectedHeader = it.next().getProtectedHeader();
            Boolean payloadEncodingStatus = protectedHeader != null ? protectedHeader.getPayloadEncodingStatus() : null;
            if (payloadEncodingStatus == null) {
                payloadEncodingStatus = Boolean.TRUE;
            }
            linkedHashSet.add(payloadEncodingStatus);
        }
        if (linkedHashSet.size() <= 1) {
            return (Boolean) linkedHashSet.iterator().next();
        }
        LOG.warning("Each signature entry can sign only encoded or only unencoded payload");
        throw new JwsException(JwsException.Error.INVALID_JSON_JWS);
    }
}
