package io.smallrye.jwt.auth.principal;

import io.smallrye.jwt.KeyFormat;
import io.smallrye.jwt.util.KeyUtils;
import io.smallrye.jwt.util.ResourceUtils;
import java.io.IOException;
import java.net.InetSocketAddress;
import java.net.Proxy;
import java.nio.charset.StandardCharsets;
import java.security.Key;
import java.security.cert.X509Certificate;
import java.util.Base64;
import java.util.Iterator;
import java.util.List;
import java.util.Set;
import javax.net.ssl.HostnameVerifier;
import javax.net.ssl.SSLSession;
import org.jose4j.http.Get;
import org.jose4j.jwk.HttpsJwks;
import org.jose4j.jwk.JsonWebKey;
import org.jose4j.jwk.OctetSequenceJsonWebKey;
import org.jose4j.jwx.JsonWebStructure;
import org.jose4j.lang.JoseException;
import org.jose4j.lang.UnresolvableKeyException;

/* loaded from: input_file:io/smallrye/jwt/auth/principal/AbstractKeyLocationResolver.class */
public class AbstractKeyLocationResolver {
    private static final String HTTP_SCHEME = "http:";
    private static final String HTTPS_SCHEME = "https:";
    protected Key key;
    protected List<JsonWebKey> jsonWebKeys;
    protected HttpsJwks httpsJwks;
    protected long lastForcedRefreshTime;
    protected Object forcedRefreshLock = new Object();
    protected JWTAuthContextInfo authContextInfo;

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:io/smallrye/jwt/auth/principal/AbstractKeyLocationResolver$TrustAllHostnameVerifier.class */
    public static class TrustAllHostnameVerifier implements HostnameVerifier {
        @Override // javax.net.ssl.HostnameVerifier
        public boolean verify(String str, SSLSession sSLSession) {
            return true;
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:io/smallrye/jwt/auth/principal/AbstractKeyLocationResolver$TrustedHostsHostnameVerifier.class */
    public static class TrustedHostsHostnameVerifier implements HostnameVerifier {
        Set<String> hosts;

        /* JADX INFO: Access modifiers changed from: package-private */
        public TrustedHostsHostnameVerifier(Set<String> set) {
            this.hosts = set;
        }

        @Override // javax.net.ssl.HostnameVerifier
        public boolean verify(String str, SSLSession sSLSession) {
            return this.hosts.contains(str);
        }
    }

    public AbstractKeyLocationResolver(JWTAuthContextInfo jWTAuthContextInfo) throws UnresolvableKeyException {
        this.authContextInfo = jWTAuthContextInfo;
        PrincipalLogging.log.authContextInfo(jWTAuthContextInfo);
    }

    protected static boolean isMatchingJwkAvailable(List<JsonWebKey> list, String str) {
        if (str == null) {
            return false;
        }
        Iterator<JsonWebKey> it = list.iterator();
        while (it.hasNext()) {
            if (str.equals(it.next().getKeyId())) {
                return true;
            }
        }
        return false;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public static void verifyKid(JsonWebStructure jsonWebStructure, String str) throws UnresolvableKeyException {
        String kid;
        if (str == null || (kid = getKid(jsonWebStructure)) == null || kid.equals(str)) {
            return;
        }
        PrincipalLogging.log.invalidTokenKidHeader(kid, str);
        throw PrincipalMessages.msg.invalidTokenKid();
    }

    protected static String getKid(JsonWebStructure jsonWebStructure) {
        return jsonWebStructure.getHeaders().getStringHeaderValue("kid");
    }

    protected HttpsJwks initializeHttpsJwks(String str) throws IOException {
        PrincipalLogging.log.tryCreateKeyFromHttpsJWKS();
        HttpsJwks httpsJwks = getHttpsJwks(str);
        Get httpGet = getHttpGet();
        if (str.startsWith(HTTPS_SCHEME)) {
            if (this.authContextInfo.isTlsTrustAll()) {
                httpGet.setHostnameVerifier(new TrustAllHostnameVerifier());
            } else if (this.authContextInfo.getTlsTrustedHosts() != null) {
                httpGet.setHostnameVerifier(new TrustedHostsHostnameVerifier(this.authContextInfo.getTlsTrustedHosts()));
            }
            if (this.authContextInfo.getTlsCertificate() != null) {
                httpGet.setTrustedCertificates(new X509Certificate[]{loadPEMCertificate(this.authContextInfo.getTlsCertificate())});
            } else if (this.authContextInfo.getTlsCertificatePath() != null) {
                httpGet.setTrustedCertificates(new X509Certificate[]{loadPEMCertificate(readKeyContent(this.authContextInfo.getTlsCertificatePath()))});
            }
        }
        if (this.authContextInfo.getHttpProxyHost() != null) {
            httpGet.setHttpProxy(new Proxy(Proxy.Type.HTTP, new InetSocketAddress(this.authContextInfo.getHttpProxyHost(), this.authContextInfo.getHttpProxyPort())));
        }
        httpsJwks.setSimpleHttpGet(httpGet);
        return httpsJwks;
    }

    protected HttpsJwks getHttpsJwks(String str) {
        HttpsJwks httpsJwks = new HttpsJwks(str);
        httpsJwks.setDefaultCacheDuration(this.authContextInfo.getJwksRefreshInterval().longValue() * 60);
        return httpsJwks;
    }

    protected Get getHttpGet() {
        return new Get();
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public boolean isHttpsJwksInitialized(String str) throws IOException {
        if (!mayBeFormat(KeyFormat.JWK) || str == null) {
            return false;
        }
        if (!str.startsWith(HTTPS_SCHEME) && !str.startsWith(HTTP_SCHEME)) {
            return false;
        }
        this.httpsJwks = initializeHttpsJwks(str);
        try {
            this.httpsJwks.refresh();
            return true;
        } catch (JoseException e) {
            this.httpsJwks = null;
            return false;
        }
    }

    protected boolean forcedHttpsJwksRefresh() {
        synchronized (this.forcedRefreshLock) {
            long currentTimeMillis = System.currentTimeMillis();
            if (this.lastForcedRefreshTime == 0 || currentTimeMillis > this.lastForcedRefreshTime + (this.authContextInfo.getForcedJwksRefreshInterval() * 60 * 1000)) {
                this.lastForcedRefreshTime = currentTimeMillis;
                try {
                    PrincipalLogging.log.kidIsNotAvailableRefreshingJWKSet();
                    this.httpsJwks.refresh();
                } catch (JoseException | IOException e) {
                    PrincipalLogging.log.failedToRefreshJWKSet(e);
                    return false;
                }
            } else {
                PrincipalLogging.log.matchingKidIsNotAvailableButJWTSRefreshed(this.authContextInfo.getForcedJwksRefreshInterval());
            }
        }
        return true;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public String readKeyContent(String str) throws IOException {
        String readResource = ResourceUtils.readResource(str, getUrlResolver());
        if (readResource == null) {
            throw PrincipalMessages.msg.resourceNotFound(str);
        }
        return readResource;
    }

    protected ResourceUtils.UrlStreamResolver getUrlResolver() {
        return new ResourceUtils.UrlStreamResolver();
    }

    protected static JsonWebKey getJsonWebKey(String str, List<JsonWebKey> list, String str2) {
        PrincipalLogging.log.tryCreateKeyFromJWKS();
        if (str != null) {
            try {
                for (JsonWebKey jsonWebKey : list) {
                    if (str.equals(jsonWebKey.getKeyId()) && (jsonWebKey.getAlgorithm() == null || str2.equals(jsonWebKey.getAlgorithm()))) {
                        return jsonWebKey;
                    }
                }
            } catch (Exception e) {
                PrincipalLogging.log.failedToCreateKeyFromJWKS(e);
                return null;
            }
        }
        if (list.size() != 1) {
            return null;
        }
        if (str != null && list.get(0).getKeyId() != null) {
            return null;
        }
        if (list.get(0).getAlgorithm() == null || str2.equals(list.get(0).getAlgorithm())) {
            return list.get(0);
        }
        return null;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public boolean mayBeFormat(KeyFormat keyFormat) {
        return isFormat(keyFormat) || this.authContextInfo.getKeyFormat() == KeyFormat.ANY;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public boolean isFormat(KeyFormat keyFormat) {
        return this.authContextInfo.getKeyFormat() == keyFormat;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public static void reportLoadKeyException(String str, String str2, Exception exc) throws UnresolvableKeyException {
        if (str == null) {
            throw PrincipalMessages.msg.failedToLoadKeyFromLocation(str2, exc);
        }
        throw PrincipalMessages.msg.failedToLoadKey(exc);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public static void reportUnresolvableKeyException(String str, String str2) throws UnresolvableKeyException {
        if (str == null) {
            throw PrincipalMessages.msg.failedToLoadKeyFromLocationWhileResolving(str2);
        }
        throw PrincipalMessages.msg.failedToLoadKeyWhileResolving();
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public JsonWebKey tryAsJwk(JsonWebStructure jsonWebStructure, String str) throws UnresolvableKeyException {
        String kid = getKid(jsonWebStructure);
        if (this.httpsJwks != null) {
            return getHttpsJwk(kid, str);
        }
        if (this.jsonWebKeys != null) {
            return getJsonWebKey(kid, this.jsonWebKeys, str);
        }
        return null;
    }

    /* JADX WARN: Code restructure failed: missing block: B:6:0x0022, code lost:
    
        if (isMatchingJwkAvailable(r0, r5) != false) goto L7;
     */
    /*
        Code decompiled incorrectly, please refer to instructions dump.
        To view partially-correct add '--show-bad-code' argument
    */
    protected org.jose4j.jwk.JsonWebKey getHttpsJwk(java.lang.String r5, java.lang.String r6) {
        /*
            r4 = this;
            io.smallrye.jwt.auth.principal.PrincipalLogging r0 = io.smallrye.jwt.auth.principal.PrincipalLogging.log
            r0.tryCreateKeyFromHttpsJWKS()
            r0 = r4
            org.jose4j.jwk.HttpsJwks r0 = r0.httpsJwks     // Catch: java.lang.Exception -> L2b
            java.util.List r0 = r0.getJsonWebKeys()     // Catch: java.lang.Exception -> L2b
            r7 = r0
            r0 = r5
            r1 = r7
            r2 = r6
            org.jose4j.jwk.JsonWebKey r0 = getJsonWebKey(r0, r1, r2)     // Catch: java.lang.Exception -> L2b
            r8 = r0
            r0 = r8
            if (r0 != 0) goto L25
            r0 = r7
            r1 = r5
            boolean r0 = isMatchingJwkAvailable(r0, r1)     // Catch: java.lang.Exception -> L2b
            if (r0 == 0) goto L28
        L25:
            r0 = r8
            return r0
        L28:
            goto L35
        L2b:
            r7 = move-exception
            io.smallrye.jwt.auth.principal.PrincipalLogging r0 = io.smallrye.jwt.auth.principal.PrincipalLogging.log
            r1 = r7
            r0.failedToCreateKeyFromJWKSet(r1)
        L35:
            r0 = r4
            boolean r0 = r0.forcedHttpsJwksRefresh()
            io.smallrye.jwt.auth.principal.PrincipalLogging r0 = io.smallrye.jwt.auth.principal.PrincipalLogging.log     // Catch: java.lang.Exception -> L4f
            r0.tryCreateKeyFromJWKSAfterRefresh()     // Catch: java.lang.Exception -> L4f
            r0 = r5
            r1 = r4
            org.jose4j.jwk.HttpsJwks r1 = r1.httpsJwks     // Catch: java.lang.Exception -> L4f
            java.util.List r1 = r1.getJsonWebKeys()     // Catch: java.lang.Exception -> L4f
            r2 = r6
            org.jose4j.jwk.JsonWebKey r0 = getJsonWebKey(r0, r1, r2)     // Catch: java.lang.Exception -> L4f
            return r0
        L4f:
            r7 = move-exception
            io.smallrye.jwt.auth.principal.PrincipalLogging r0 = io.smallrye.jwt.auth.principal.PrincipalLogging.log
            r1 = r7
            r0.failedToCreateKeyFromJWKSAfterRefresh(r1)
            r0 = 0
            return r0
        */
        throw new UnsupportedOperationException("Method not decompiled: io.smallrye.jwt.auth.principal.AbstractKeyLocationResolver.getHttpsJwk(java.lang.String, java.lang.String):org.jose4j.jwk.JsonWebKey");
    }

    protected JsonWebKey getJsonWebKey(String str, String str2) {
        return getJsonWebKey(str, this.jsonWebKeys, str2);
    }

    protected JsonWebKey tryJWKContent(String str, String str2, String str3, boolean z) {
        this.jsonWebKeys = KeyUtils.loadJsonWebKeys(str);
        JsonWebKey jsonWebKey = null;
        if (this.jsonWebKeys != null && str2 != null) {
            jsonWebKey = getJsonWebKey(str2, this.jsonWebKeys, str3);
            if (jsonWebKey != null) {
                if (z) {
                    PrincipalLogging.log.keyCreatedFromEncodedJWKKeyOrJWKKeySet();
                } else {
                    PrincipalLogging.log.keyCreatedFromJWKKeyOrJWKKeySet();
                }
            }
        }
        return jsonWebKey;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void loadJWKContent(String str) {
        this.jsonWebKeys = KeyUtils.loadJsonWebKeys(str);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public JsonWebKey loadFromJwk(String str, String str2, String str3) {
        JsonWebKey jsonWebKey = null;
        if (mayBeFormat(KeyFormat.JWK)) {
            PrincipalLogging.log.checkKeyContentIsJWKKeyOrJWKKeySet();
            jsonWebKey = tryJWKContent(str, str2, str3, false);
            if (jsonWebKey != null || isFormat(KeyFormat.JWK)) {
                return jsonWebKey;
            }
        }
        if (this.jsonWebKeys == null && mayBeFormat(KeyFormat.JWK_BASE64URL)) {
            try {
                PrincipalLogging.log.checkKeyContentIsBase64EncodedJWKKeyOrJWKKeySet();
                jsonWebKey = tryJWKContent(new String(Base64.getUrlDecoder().decode(str.getBytes(StandardCharsets.UTF_8)), StandardCharsets.UTF_8), str2, str3, true);
            } catch (IllegalArgumentException e) {
                PrincipalLogging.log.unableToDecodeContentUsingBase64(e);
            }
        }
        return jsonWebKey;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public Key getSecretKeyFromJwk(JsonWebKey jsonWebKey) {
        if (jsonWebKey instanceof OctetSequenceJsonWebKey) {
            return ((OctetSequenceJsonWebKey) jsonWebKey).getKey();
        }
        return null;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public static X509Certificate loadPEMCertificate(String str) {
        PrincipalLogging.log.checkKeyContentIsBase64EncodedPEMCertificate();
        X509Certificate x509Certificate = null;
        try {
            x509Certificate = KeyUtils.getCertificate(str);
            PrincipalLogging.log.publicKeyCreatedFromEncodedPEMCertificate();
        } catch (Exception e) {
            PrincipalLogging.log.keyContentIsNotValidEncodedPEMCertificate(e);
        }
        return x509Certificate;
    }
}
