package org.apache.cxf.rs.security.jose.jws;

import java.security.Key;
import java.security.PrivateKey;
import java.security.PublicKey;
import java.security.cert.X509Certificate;
import java.security.interfaces.ECPrivateKey;
import java.security.interfaces.ECPublicKey;
import java.security.interfaces.RSAKey;
import java.security.interfaces.RSAPrivateKey;
import java.security.interfaces.RSAPublicKey;
import java.util.ArrayList;
import java.util.Collections;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Properties;
import java.util.logging.Logger;
import org.apache.cxf.common.logging.LogUtils;
import org.apache.cxf.message.Message;
import org.apache.cxf.message.MessageUtils;
import org.apache.cxf.phase.PhaseInterceptorChain;
import org.apache.cxf.rs.security.jose.common.JoseConstants;
import org.apache.cxf.rs.security.jose.common.JoseUtils;
import org.apache.cxf.rs.security.jose.common.KeyManagementUtils;
import org.apache.cxf.rs.security.jose.jwa.AlgorithmUtils;
import org.apache.cxf.rs.security.jose.jwa.SignatureAlgorithm;
import org.apache.cxf.rs.security.jose.jwk.JsonWebKey;
import org.apache.cxf.rs.security.jose.jwk.JsonWebKeys;
import org.apache.cxf.rs.security.jose.jwk.JwkUtils;
import org.apache.cxf.rs.security.jose.jwk.KeyOperation;
import org.apache.cxf.rs.security.jose.jwk.KeyType;
import org.apache.cxf.rs.security.jose.jwk.PublicKeyUse;
import org.apache.cxf.rs.security.jose.jws.JwsException;

/* loaded from: input_file:META-INF/repository/fuse-eap-distro-6.3.0.redhat-322.zip:modules/system/layers/fuse/org/apache/cxf/3.1/cxf-rt-rs-security-jose-3.1.5.redhat-630322.jar:org/apache/cxf/rs/security/jose/jws/JwsUtils.class */
public final class JwsUtils {
    private static final Logger LOG = LogUtils.getL7dLogger(JwsUtils.class);

    private JwsUtils() {
    }

    public static String sign(PrivateKey privateKey, SignatureAlgorithm signatureAlgorithm, String str) {
        return sign(privateKey, signatureAlgorithm, str, (String) null);
    }

    public static String sign(PrivateKey privateKey, SignatureAlgorithm signatureAlgorithm, String str, String str2) {
        return sign(getPrivateKeySignatureProvider(privateKey, signatureAlgorithm), str, str2);
    }

    public static String sign(String str, SignatureAlgorithm signatureAlgorithm, String str2) {
        return sign(JoseUtils.decode(str), signatureAlgorithm, str2);
    }

    public static String sign(byte[] bArr, SignatureAlgorithm signatureAlgorithm, String str) {
        return sign(bArr, signatureAlgorithm, str, (String) null);
    }

    public static String sign(byte[] bArr, SignatureAlgorithm signatureAlgorithm, String str, String str2) {
        return sign(getHmacSignatureProvider(bArr, signatureAlgorithm), str, str2);
    }

    public static String verify(PublicKey publicKey, SignatureAlgorithm signatureAlgorithm, String str) {
        return verify(getPublicKeySignatureVerifier(publicKey, signatureAlgorithm), str).getDecodedJwsPayload();
    }

    public static String verify(String str, SignatureAlgorithm signatureAlgorithm, String str2) {
        return verify(JoseUtils.decode(str), signatureAlgorithm, str2);
    }

    public static String verify(byte[] bArr, SignatureAlgorithm signatureAlgorithm, String str) {
        return verify(getHmacSignatureVerifier(bArr, signatureAlgorithm), str).getDecodedJwsPayload();
    }

    public static JwsSignatureProvider getSignatureProvider(JsonWebKey jsonWebKey) {
        return getSignatureProvider(jsonWebKey, null);
    }

    public static JwsSignatureProvider getSignatureProvider(JsonWebKey jsonWebKey, SignatureAlgorithm signatureAlgorithm) {
        SignatureAlgorithm algorithm = jsonWebKey.getAlgorithm() == null ? signatureAlgorithm : SignatureAlgorithm.getAlgorithm(jsonWebKey.getAlgorithm());
        JwsSignatureProvider jwsSignatureProvider = null;
        KeyType keyType = jsonWebKey.getKeyType();
        if (KeyType.RSA == keyType) {
            jwsSignatureProvider = getPrivateKeySignatureProvider(JwkUtils.toRSAPrivateKey(jsonWebKey), algorithm);
        } else if (KeyType.OCTET == keyType) {
            jwsSignatureProvider = getHmacSignatureProvider(JoseUtils.decode((String) jsonWebKey.getProperty("k")), algorithm);
        } else if (KeyType.EC == jsonWebKey.getKeyType()) {
            jwsSignatureProvider = getPrivateKeySignatureProvider(JwkUtils.toECPrivateKey(jsonWebKey), algorithm);
        }
        return jwsSignatureProvider;
    }

    public static JwsSignatureProvider getPrivateKeySignatureProvider(PrivateKey privateKey, SignatureAlgorithm signatureAlgorithm) {
        if (signatureAlgorithm == null) {
            LOG.warning("No signature algorithm was defined");
            throw new JwsException(JwsException.Error.ALGORITHM_NOT_SET);
        }
        if (privateKey instanceof ECPrivateKey) {
            return new EcDsaJwsSignatureProvider((ECPrivateKey) privateKey, signatureAlgorithm);
        }
        if (privateKey instanceof RSAPrivateKey) {
            return new PrivateKeyJwsSignatureProvider(privateKey, signatureAlgorithm);
        }
        return null;
    }

    public static JwsSignatureProvider getHmacSignatureProvider(String str, SignatureAlgorithm signatureAlgorithm) {
        return getHmacSignatureProvider(JoseUtils.decode(str), signatureAlgorithm);
    }

    public static JwsSignatureProvider getHmacSignatureProvider(byte[] bArr, SignatureAlgorithm signatureAlgorithm) {
        if (signatureAlgorithm == null) {
            LOG.warning("No signature algorithm was defined");
            throw new JwsException(JwsException.Error.ALGORITHM_NOT_SET);
        }
        if (AlgorithmUtils.isHmacSign(signatureAlgorithm.getJwaName())) {
            return new HmacJwsSignatureProvider(bArr, signatureAlgorithm);
        }
        return null;
    }

    public static JwsSignatureVerifier getSignatureVerifier(JsonWebKey jsonWebKey) {
        return getSignatureVerifier(jsonWebKey, null);
    }

    public static JwsSignatureVerifier getSignatureVerifier(JsonWebKey jsonWebKey, SignatureAlgorithm signatureAlgorithm) {
        SignatureAlgorithm algorithm = jsonWebKey.getAlgorithm() == null ? signatureAlgorithm : SignatureAlgorithm.getAlgorithm(jsonWebKey.getAlgorithm());
        JwsSignatureVerifier jwsSignatureVerifier = null;
        KeyType keyType = jsonWebKey.getKeyType();
        if (KeyType.RSA == keyType) {
            jwsSignatureVerifier = getPublicKeySignatureVerifier(JwkUtils.toRSAPublicKey(jsonWebKey, true), algorithm);
        } else if (KeyType.OCTET == keyType) {
            jwsSignatureVerifier = getHmacSignatureVerifier(JoseUtils.decode((String) jsonWebKey.getProperty("k")), algorithm);
        } else if (KeyType.EC == keyType) {
            jwsSignatureVerifier = getPublicKeySignatureVerifier(JwkUtils.toECPublicKey(jsonWebKey), algorithm);
        }
        return jwsSignatureVerifier;
    }

    public static JwsSignatureVerifier getPublicKeySignatureVerifier(X509Certificate x509Certificate, SignatureAlgorithm signatureAlgorithm) {
        if (signatureAlgorithm == null) {
            LOG.warning("No signature algorithm was defined");
            throw new JwsException(JwsException.Error.ALGORITHM_NOT_SET);
        }
        if (x509Certificate == null) {
            return null;
        }
        if (x509Certificate.getPublicKey() instanceof RSAPublicKey) {
            return new PublicKeyJwsSignatureVerifier(x509Certificate, signatureAlgorithm);
        }
        if (x509Certificate.getPublicKey() instanceof ECPublicKey) {
            return new EcDsaJwsSignatureVerifier(x509Certificate, signatureAlgorithm);
        }
        return null;
    }

    public static JwsSignatureVerifier getPublicKeySignatureVerifier(PublicKey publicKey, SignatureAlgorithm signatureAlgorithm) {
        if (signatureAlgorithm == null) {
            LOG.warning("No signature algorithm was defined");
            throw new JwsException(JwsException.Error.ALGORITHM_NOT_SET);
        }
        if (publicKey instanceof RSAPublicKey) {
            return new PublicKeyJwsSignatureVerifier(publicKey, signatureAlgorithm);
        }
        if (publicKey instanceof ECPublicKey) {
            return new EcDsaJwsSignatureVerifier(publicKey, signatureAlgorithm);
        }
        return null;
    }

    public static JwsSignatureVerifier getHmacSignatureVerifier(String str, SignatureAlgorithm signatureAlgorithm) {
        return getHmacSignatureVerifier(JoseUtils.decode(str), signatureAlgorithm);
    }

    public static JwsSignatureVerifier getHmacSignatureVerifier(byte[] bArr, SignatureAlgorithm signatureAlgorithm) {
        if (signatureAlgorithm == null) {
            LOG.warning("No signature algorithm was defined");
            throw new JwsException(JwsException.Error.ALGORITHM_NOT_SET);
        }
        if (AlgorithmUtils.isHmacSign(signatureAlgorithm.getJwaName())) {
            return new HmacJwsSignatureVerifier(bArr, signatureAlgorithm);
        }
        return null;
    }

    public static Map<SignatureAlgorithm, List<JwsJsonSignatureEntry>> getJwsJsonSignatureMap(List<JwsJsonSignatureEntry> list) {
        HashMap hashMap = new HashMap();
        for (JwsJsonSignatureEntry jwsJsonSignatureEntry : list) {
            SignatureAlgorithm signatureAlgorithm = jwsJsonSignatureEntry.getUnionHeader().getSignatureAlgorithm();
            List list2 = (List) hashMap.get(signatureAlgorithm);
            if (list2 == null) {
                list2 = new ArrayList();
            }
            list2.add(jwsJsonSignatureEntry);
            hashMap.put(signatureAlgorithm, list2);
        }
        return hashMap;
    }

    public static JwsSignatureProvider loadSignatureProvider(boolean z) {
        return loadSignatureProvider((JwsHeaders) null, z);
    }

    public static JwsSignatureProvider loadSignatureProvider(JwsHeaders jwsHeaders, boolean z) {
        Properties loadSignatureOutProperties = loadSignatureOutProperties(z);
        if (loadSignatureOutProperties == null) {
            return null;
        }
        JwsSignatureProvider loadSignatureProvider = loadSignatureProvider(loadSignatureOutProperties, jwsHeaders);
        if (jwsHeaders != null) {
            jwsHeaders.setSignatureAlgorithm(loadSignatureProvider.getAlgorithm());
        }
        return loadSignatureProvider;
    }

    public static Properties loadSignatureOutProperties(boolean z) {
        return KeyManagementUtils.loadStoreProperties(PhaseInterceptorChain.getCurrentMessage(), z, JoseConstants.RSSEC_SIGNATURE_OUT_PROPS, JoseConstants.RSSEC_SIGNATURE_PROPS);
    }

    public static Properties loadSignatureInProperties(boolean z) {
        return KeyManagementUtils.loadStoreProperties(PhaseInterceptorChain.getCurrentMessage(), z, JoseConstants.RSSEC_SIGNATURE_IN_PROPS, JoseConstants.RSSEC_SIGNATURE_PROPS);
    }

    public static Properties loadSignatureProperties(String str, boolean z) {
        return KeyManagementUtils.loadStoreProperties(PhaseInterceptorChain.getCurrentMessage(), z, str, null);
    }

    public static JwsSignatureVerifier loadSignatureVerifier(boolean z) {
        return loadSignatureVerifier((JwsHeaders) null, z);
    }

    public static JwsSignatureVerifier loadSignatureVerifier(JwsHeaders jwsHeaders, boolean z) {
        return loadSignatureVerifier(loadSignatureInProperties(z), jwsHeaders);
    }

    public static List<JwsSignatureProvider> loadSignatureProviders(String str, Message message) {
        List<JsonWebKey> loadJsonWebKeys;
        Properties loadJwsProperties = loadJwsProperties(message, str);
        JwsSignatureProvider loadSignatureProvider = loadSignatureProvider(message, loadJwsProperties, null, true);
        if (loadSignatureProvider != null) {
            return Collections.singletonList(loadSignatureProvider);
        }
        ArrayList arrayList = null;
        if (JoseConstants.HEADER_JSON_WEB_KEY.equals(loadJwsProperties.get(JoseConstants.RSSEC_KEY_STORE_TYPE)) && (loadJsonWebKeys = JwkUtils.loadJsonWebKeys(message, loadJwsProperties, KeyOperation.SIGN)) != null) {
            arrayList = new ArrayList(loadJsonWebKeys.size());
            Iterator<JsonWebKey> it = loadJsonWebKeys.iterator();
            while (it.hasNext()) {
                arrayList.add(getSignatureProvider(it.next()));
            }
        }
        if (arrayList != null) {
            return arrayList;
        }
        LOG.warning("Providers are not available");
        throw new JwsException(JwsException.Error.NO_PROVIDER);
    }

    public static List<JwsSignatureVerifier> loadSignatureVerifiers(String str, Message message) {
        List<JsonWebKey> loadJsonWebKeys;
        Properties loadJwsProperties = loadJwsProperties(message, str);
        JwsSignatureVerifier loadSignatureVerifier = loadSignatureVerifier(message, loadJwsProperties, null, true);
        if (loadSignatureVerifier != null) {
            return Collections.singletonList(loadSignatureVerifier);
        }
        ArrayList arrayList = null;
        if (JoseConstants.HEADER_JSON_WEB_KEY.equals(loadJwsProperties.get(JoseConstants.RSSEC_KEY_STORE_TYPE)) && (loadJsonWebKeys = JwkUtils.loadJsonWebKeys(message, loadJwsProperties, KeyOperation.VERIFY)) != null) {
            arrayList = new ArrayList(loadJsonWebKeys.size());
            Iterator<JsonWebKey> it = loadJsonWebKeys.iterator();
            while (it.hasNext()) {
                arrayList.add(getSignatureVerifier(it.next()));
            }
        }
        if (arrayList != null) {
            return arrayList;
        }
        LOG.warning("Verifiers are not available");
        throw new JwsException(JwsException.Error.NO_VERIFIER);
    }

    public static boolean validateCriticalHeaders(JwsHeaders jwsHeaders) {
        return JoseUtils.validateCriticalHeaders(jwsHeaders);
    }

    public static JwsSignatureProvider loadSignatureProvider(Properties properties, JwsHeaders jwsHeaders) {
        return loadSignatureProvider(PhaseInterceptorChain.getCurrentMessage(), properties, jwsHeaders, false);
    }

    private static JwsSignatureProvider loadSignatureProvider(Message message, Properties properties, JwsHeaders jwsHeaders, boolean z) {
        String loadDigestAndEncodeX509Certificate;
        String loadDigestAndEncodeX509Certificate2;
        JwsSignatureProvider jwsSignatureProvider = null;
        boolean z2 = jwsHeaders != null && MessageUtils.getContextualBoolean(message, JoseConstants.RSSEC_SIGNATURE_INCLUDE_CERT, false);
        boolean z3 = jwsHeaders != null && MessageUtils.getContextualBoolean(message, JoseConstants.RSSEC_SIGNATURE_INCLUDE_CERT_SHA1, false);
        if (JoseConstants.HEADER_JSON_WEB_KEY.equals(properties.get(JoseConstants.RSSEC_KEY_STORE_TYPE))) {
            JsonWebKey loadJsonWebKey = JwkUtils.loadJsonWebKey(message, properties, KeyOperation.SIGN);
            if (loadJsonWebKey != null) {
                SignatureAlgorithm signatureAlgorithm = getSignatureAlgorithm(message, properties, SignatureAlgorithm.getAlgorithm(loadJsonWebKey.getAlgorithm()), getDefaultKeyAlgorithm(loadJsonWebKey));
                jwsSignatureProvider = getSignatureProvider(loadJsonWebKey, signatureAlgorithm);
                boolean z4 = jwsHeaders != null && MessageUtils.getContextualBoolean(message, JoseConstants.RSSEC_SIGNATURE_INCLUDE_PUBLIC_KEY, false);
                boolean z5 = jwsHeaders != null && MessageUtils.getContextualBoolean(message, JoseConstants.RSSEC_SIGNATURE_INCLUDE_KEY_ID, false);
                if (z2) {
                    JwkUtils.includeCertChain(loadJsonWebKey, jwsHeaders, signatureAlgorithm.getJwaName());
                }
                if (z3 && (loadDigestAndEncodeX509Certificate2 = KeyManagementUtils.loadDigestAndEncodeX509Certificate(message, properties)) != null) {
                    jwsHeaders.setX509Thumbprint(loadDigestAndEncodeX509Certificate2);
                }
                if (z4) {
                    JwkUtils.includePublicKey(loadJsonWebKey, jwsHeaders, signatureAlgorithm.getJwaName());
                }
                if (z5 && loadJsonWebKey.getKeyId() != null && jwsHeaders != null) {
                    jwsHeaders.setKeyId(loadJsonWebKey.getKeyId());
                }
            }
        } else {
            SignatureAlgorithm signatureAlgorithm2 = getSignatureAlgorithm(message, properties, null, null);
            if (signatureAlgorithm2 == SignatureAlgorithm.NONE) {
                jwsSignatureProvider = new NoneJwsSignatureProvider();
            } else {
                jwsSignatureProvider = getPrivateKeySignatureProvider(KeyManagementUtils.loadPrivateKey(message, properties, KeyOperation.SIGN), signatureAlgorithm2);
                if (z2) {
                    jwsHeaders.setX509Chain(KeyManagementUtils.loadAndEncodeX509CertificateOrChain(message, properties));
                }
                if (z3 && (loadDigestAndEncodeX509Certificate = KeyManagementUtils.loadDigestAndEncodeX509Certificate(message, properties)) != null) {
                    jwsHeaders.setX509Thumbprint(loadDigestAndEncodeX509Certificate);
                }
            }
        }
        if (jwsSignatureProvider != null || z) {
            return jwsSignatureProvider;
        }
        LOG.warning("Provider is not available");
        throw new JwsException(JwsException.Error.NO_PROVIDER);
    }

    public static JwsSignatureVerifier loadSignatureVerifier(Properties properties, JwsHeaders jwsHeaders) {
        return loadSignatureVerifier(PhaseInterceptorChain.getCurrentMessage(), properties, jwsHeaders, false);
    }

    private static JwsSignatureVerifier loadSignatureVerifier(Message message, Properties properties, JwsHeaders jwsHeaders, boolean z) {
        X509Certificate certificateFromThumbprint;
        JwsSignatureVerifier jwsSignatureVerifier = null;
        String str = null;
        if (jwsHeaders != null) {
            str = jwsHeaders.getKeyId();
            if (jwsHeaders.getHeader(JoseConstants.HEADER_JSON_WEB_KEY) != null) {
                JsonWebKey jsonWebKey = jwsHeaders.getJsonWebKey();
                if ((str == null || str.equals(jsonWebKey.getKeyId())) && MessageUtils.getContextualBoolean(message, JoseConstants.RSSEC_ACCEPT_PUBLIC_KEY, false)) {
                    return getSignatureVerifier(jsonWebKey, jwsHeaders.getSignatureAlgorithm());
                }
                throw new JwsException(JwsException.Error.INVALID_KEY);
            }
            if (jwsHeaders.getHeader("x5c") != null) {
                List<X509Certificate> x509CertificateChain = KeyManagementUtils.toX509CertificateChain(jwsHeaders.getX509Chain());
                KeyManagementUtils.validateCertificateChain(properties, x509CertificateChain);
                return getPublicKeySignatureVerifier(x509CertificateChain.get(0), jwsHeaders.getSignatureAlgorithm());
            }
            if (jwsHeaders.getHeader("x5t") != null && (certificateFromThumbprint = KeyManagementUtils.getCertificateFromThumbprint(jwsHeaders.getX509Thumbprint(), "SHA-1", message, properties)) != null) {
                return getPublicKeySignatureVerifier(certificateFromThumbprint, jwsHeaders.getSignatureAlgorithm());
            }
        }
        if (JoseConstants.HEADER_JSON_WEB_KEY.equals(properties.get(JoseConstants.RSSEC_KEY_STORE_TYPE))) {
            JsonWebKey loadJsonWebKey = JwkUtils.loadJsonWebKey(message, properties, KeyOperation.VERIFY, str);
            if (loadJsonWebKey != null) {
                jwsSignatureVerifier = getSignatureVerifier(loadJsonWebKey, getSignatureAlgorithm(message, properties, SignatureAlgorithm.getAlgorithm(loadJsonWebKey.getAlgorithm()), getDefaultKeyAlgorithm(loadJsonWebKey)));
            }
        } else {
            SignatureAlgorithm signatureAlgorithm = getSignatureAlgorithm(message, properties, null, null);
            if (signatureAlgorithm == SignatureAlgorithm.NONE && SignatureAlgorithm.NONE.getJwaName().equals(jwsHeaders.getAlgorithm())) {
                jwsSignatureVerifier = new NoneJwsSignatureVerifier();
            } else {
                X509Certificate[] loadX509CertificateOrChain = KeyManagementUtils.loadX509CertificateOrChain(message, properties);
                if (loadX509CertificateOrChain != null && loadX509CertificateOrChain.length > 0) {
                    jwsSignatureVerifier = getPublicKeySignatureVerifier(loadX509CertificateOrChain[0], signatureAlgorithm);
                }
            }
        }
        if (jwsSignatureVerifier != null || z) {
            return jwsSignatureVerifier;
        }
        LOG.warning("Verifier is not available");
        throw new JwsException(JwsException.Error.NO_VERIFIER);
    }

    private static Properties loadJwsProperties(Message message, String str) {
        try {
            return JoseUtils.loadProperties(str, message.getExchange().getBus());
        } catch (Exception e) {
            LOG.warning("JWS init properties are not available");
            throw new JwsException(JwsException.Error.NO_INIT_PROPERTIES);
        }
    }

    public static SignatureAlgorithm getSignatureAlgorithm(Message message, Properties properties, SignatureAlgorithm signatureAlgorithm, SignatureAlgorithm signatureAlgorithm2) {
        if (signatureAlgorithm == null) {
            if (signatureAlgorithm2 == null) {
                signatureAlgorithm2 = SignatureAlgorithm.RS256;
            }
            String str = null;
            if (properties != null) {
                str = properties.getProperty(JoseConstants.DEPR_RSSEC_SIGNATURE_ALGORITHM);
            }
            if (str == null && message != null) {
                str = (String) message.getContextualProperty(JoseConstants.DEPR_RSSEC_SIGNATURE_ALGORITHM);
            }
            if (str != null) {
                return SignatureAlgorithm.getAlgorithm(str);
            }
            if (properties != null) {
                return getSignatureAlgorithm(properties, signatureAlgorithm2);
            }
        }
        return signatureAlgorithm;
    }

    public static SignatureAlgorithm getSignatureAlgorithm(Properties properties, SignatureAlgorithm signatureAlgorithm) {
        return SignatureAlgorithm.getAlgorithm(KeyManagementUtils.getKeyAlgorithm(PhaseInterceptorChain.getCurrentMessage(), properties, JoseConstants.RSSEC_SIGNATURE_ALGORITHM, signatureAlgorithm == null ? null : signatureAlgorithm.getJwaName()));
    }

    private static SignatureAlgorithm getDefaultKeyAlgorithm(JsonWebKey jsonWebKey) {
        KeyType keyType = jsonWebKey.getKeyType();
        return KeyType.OCTET == keyType ? SignatureAlgorithm.HS256 : KeyType.EC == keyType ? SignatureAlgorithm.ES256 : SignatureAlgorithm.RS256;
    }

    public static JwsCompactConsumer verify(JwsSignatureVerifier jwsSignatureVerifier, String str) {
        JwsCompactConsumer jwsCompactConsumer = new JwsCompactConsumer(str);
        if (jwsCompactConsumer.verifySignatureWith(jwsSignatureVerifier)) {
            return jwsCompactConsumer;
        }
        throw new JwsException(JwsException.Error.INVALID_SIGNATURE);
    }

    public static String sign(JwsSignatureProvider jwsSignatureProvider, String str, String str2) {
        JwsHeaders jwsHeaders = new JwsHeaders();
        if (str2 != null) {
            jwsHeaders.setContentType(str2);
        }
        JwsCompactProducer jwsCompactProducer = new JwsCompactProducer(jwsHeaders, str);
        jwsCompactProducer.signWith(jwsSignatureProvider);
        return jwsCompactProducer.getSignedEncodedJws();
    }

    public static void validateJwsCertificateChain(List<X509Certificate> list) {
        KeyManagementUtils.validateCertificateChain(loadSignatureInProperties(true), list);
    }

    public static boolean isPayloadUnencoded(JwsHeaders jwsHeaders) {
        return jwsHeaders.getPayloadEncodingStatus() == Boolean.FALSE;
    }

    public static void checkSignatureKeySize(Key key) {
        if (!(key instanceof RSAKey) || ((RSAKey) key).getModulus().bitLength() >= 2048) {
            return;
        }
        LOG.fine("A key of size: " + ((RSAKey) key).getModulus().bitLength() + " was used with an RSA signature algorithm. 2048 is the minimum size that is accepted");
        throw new JwsException(JwsException.Error.INVALID_KEY);
    }

    public static JsonWebKeys loadPublicVerificationKeys(Message message, Properties properties) {
        if (JoseConstants.HEADER_JSON_WEB_KEY.equals(properties.getProperty(JoseConstants.RSSEC_KEY_STORE_TYPE))) {
            return JwkUtils.loadPublicJwkSet(message, properties);
        }
        JsonWebKey fromPublicKey = JwkUtils.fromPublicKey(KeyManagementUtils.loadPublicKey(message, properties), properties, JoseConstants.RSSEC_SIGNATURE_ALGORITHM);
        fromPublicKey.setPublicKeyUse(PublicKeyUse.SIGN);
        return new JsonWebKeys(fromPublicKey);
    }
}
