package org.apache.cxf.rs.security.jose.jws;

import java.security.PublicKey;
import java.security.cert.X509Certificate;
import java.security.spec.AlgorithmParameterSpec;
import java.util.logging.Logger;
import org.apache.cxf.common.logging.LogUtils;
import org.apache.cxf.common.util.StringUtils;
import org.apache.cxf.rs.security.jose.jwa.AlgorithmUtils;
import org.apache.cxf.rs.security.jose.jwa.SignatureAlgorithm;
import org.apache.cxf.rs.security.jose.jws.JwsException;
import org.apache.cxf.rt.security.crypto.CryptoUtils;

/* loaded from: input_file:META-INF/repository/fuse-eap-distro-6.3.0.redhat-310-11.zip:modules/system/layers/fuse/org/apache/cxf/3.1/cxf-rt-rs-security-jose-3.1.5.redhat-630310-11.jar:org/apache/cxf/rs/security/jose/jws/PublicKeyJwsSignatureVerifier.class */
public class PublicKeyJwsSignatureVerifier implements JwsSignatureVerifier {
    protected static final Logger LOG = LogUtils.getL7dLogger(PublicKeyJwsSignatureVerifier.class);
    private PublicKey key;
    private AlgorithmParameterSpec signatureSpec;
    private SignatureAlgorithm supportedAlgo;
    private X509Certificate cert;

    public PublicKeyJwsSignatureVerifier(PublicKey publicKey, SignatureAlgorithm signatureAlgorithm) {
        this(publicKey, (AlgorithmParameterSpec) null, signatureAlgorithm);
    }

    public PublicKeyJwsSignatureVerifier(PublicKey publicKey, AlgorithmParameterSpec algorithmParameterSpec, SignatureAlgorithm signatureAlgorithm) {
        this.key = publicKey;
        this.signatureSpec = algorithmParameterSpec;
        this.supportedAlgo = signatureAlgorithm;
        JwsUtils.checkSignatureKeySize(publicKey);
    }

    public PublicKeyJwsSignatureVerifier(X509Certificate x509Certificate, SignatureAlgorithm signatureAlgorithm) {
        this(x509Certificate, (AlgorithmParameterSpec) null, signatureAlgorithm);
    }

    public PublicKeyJwsSignatureVerifier(X509Certificate x509Certificate, AlgorithmParameterSpec algorithmParameterSpec, SignatureAlgorithm signatureAlgorithm) {
        if (x509Certificate != null) {
            this.key = x509Certificate.getPublicKey();
        }
        this.cert = x509Certificate;
        this.signatureSpec = algorithmParameterSpec;
        this.supportedAlgo = signatureAlgorithm;
        JwsUtils.checkSignatureKeySize(this.key);
    }

    @Override // org.apache.cxf.rs.security.jose.jws.JwsSignatureVerifier
    public boolean verify(JwsHeaders jwsHeaders, String str, byte[] bArr) {
        try {
            return CryptoUtils.verifySignature(StringUtils.toBytesUTF8(str), bArr, this.key, AlgorithmUtils.toJavaName(checkAlgorithm(jwsHeaders.getSignatureAlgorithm())), this.signatureSpec);
        } catch (Exception e) {
            LOG.warning("Invalid signature: " + e.getMessage());
            throw new JwsException(JwsException.Error.INVALID_SIGNATURE, e);
        }
    }

    protected String checkAlgorithm(SignatureAlgorithm signatureAlgorithm) {
        String jwaName = signatureAlgorithm.getJwaName();
        if (jwaName == null) {
            LOG.warning("Signature algorithm is not set");
            throw new JwsException(JwsException.Error.ALGORITHM_NOT_SET);
        }
        if (isValidAlgorithmFamily(jwaName) && jwaName.equals(this.supportedAlgo.getJwaName())) {
            return jwaName;
        }
        LOG.warning("Invalid signature algorithm: " + jwaName);
        throw new JwsException(JwsException.Error.INVALID_ALGORITHM);
    }

    protected boolean isValidAlgorithmFamily(String str) {
        return AlgorithmUtils.isRsaSign(str);
    }

    @Override // org.apache.cxf.rs.security.jose.jws.JwsSignatureVerifier
    public SignatureAlgorithm getAlgorithm() {
        return this.supportedAlgo;
    }

    public X509Certificate getX509Certificate() {
        return this.cert;
    }
}
