package io.smallrye.jwt.config;

import io.smallrye.jwt.KeyFormat;
import io.smallrye.jwt.KeyProvider;
import io.smallrye.jwt.SmallryeJwtUtils;
import io.smallrye.jwt.algorithm.KeyEncryptionAlgorithm;
import io.smallrye.jwt.algorithm.SignatureAlgorithm;
import io.smallrye.jwt.auth.principal.JWTAuthContextInfo;
import io.smallrye.jwt.util.KeyUtils;
import io.smallrye.jwt.util.ResourceUtils;
import jakarta.enterprise.context.ApplicationScoped;
import jakarta.enterprise.context.Dependent;
import jakarta.enterprise.inject.Produces;
import jakarta.inject.Inject;
import java.io.IOException;
import java.io.InputStream;
import java.security.PrivateKey;
import java.security.PublicKey;
import java.util.Arrays;
import java.util.Collections;
import java.util.HashSet;
import java.util.Optional;
import java.util.Set;
import org.eclipse.microprofile.config.inject.ConfigProperty;

@Dependent
/* loaded from: input_file:io/smallrye/jwt/config/JWTAuthContextInfoProvider.class */
public class JWTAuthContextInfoProvider {
    private static final String AUTHORIZATION_HEADER = "Authorization";
    private static final String BEARER_SCHEME = "Bearer";
    private static final String NONE = "NONE";
    private static final String DEFAULT_GROUPS_SEPARATOR = " ";

    @Inject
    @ConfigProperty(name = "mp.jwt.verify.publickey", defaultValue = NONE)
    private String mpJwtPublicKey;

    @Inject
    @ConfigProperty(name = "smallrye.jwt.verify.secretkey", defaultValue = NONE)
    private String jwtSecretKey;

    @Inject
    @ConfigProperty(name = "mp.jwt.verify.issuer", defaultValue = NONE)
    private String mpJwtIssuer;

    @Inject
    @ConfigProperty(name = "mp.jwt.verify.publickey.location", defaultValue = NONE)
    private String mpJwtLocation;

    @Inject
    @ConfigProperty(name = "mp.jwt.decrypt.key.location", defaultValue = NONE)
    private String mpJwtDecryptKeyLocation;

    @Inject
    @ConfigProperty(name = "smallrye.jwt.decrypt.key")
    private Optional<String> jwtDecryptKey;

    @Inject
    @ConfigProperty(name = "smallrye.jwt.verify.key.location", defaultValue = NONE)
    private String verifyKeyLocation;

    @Inject
    @ConfigProperty(name = "smallrye.jwt.decrypt.key.location", defaultValue = NONE)
    @Deprecated
    private String decryptionKeyLocation;

    @Inject
    @ConfigProperty(name = "smallrye.jwt.decrypt.algorithm")
    @Deprecated
    private Optional<KeyEncryptionAlgorithm> keyEncryptionAlgorithm;

    @Inject
    @ConfigProperty(name = "mp.jwt.token.header")
    private Optional<String> mpJwtTokenHeader;

    @Inject
    @ConfigProperty(name = "mp.jwt.token.cookie")
    private Optional<String> mpJwtTokenCookie;

    @Inject
    @ConfigProperty(name = "mp.jwt.verify.audiences")
    Optional<Set<String>> mpJwtVerifyAudiences;

    @Inject
    @ConfigProperty(name = "mp.jwt.verify.clock.skew", defaultValue = "60")
    private int mpJwtVerifyClockSkew;

    @Inject
    @ConfigProperty(name = "mp.jwt.verify.token.age")
    Optional<Long> mpJwtVerifyTokenAge;

    @Inject
    @ConfigProperty(name = "smallrye.jwt.token.header")
    @Deprecated
    private Optional<String> tokenHeader;

    @Inject
    @ConfigProperty(name = "smallrye.jwt.token.cookie")
    @Deprecated
    private Optional<String> tokenCookie;

    @Inject
    @ConfigProperty(name = "smallrye.jwt.always-check-authorization", defaultValue = "false")
    private boolean alwaysCheckAuthorization;

    @Inject
    @ConfigProperty(name = "smallrye.jwt.token.kid")
    private Optional<String> tokenKeyId;

    @Inject
    @ConfigProperty(name = "smallrye.jwt.token.decryption.kid")
    private Optional<String> tokenDecryptionKeyId;

    @Inject
    @ConfigProperty(name = "smallrye.jwt.token.schemes", defaultValue = BEARER_SCHEME)
    private String tokenSchemes;

    @Inject
    @ConfigProperty(name = "smallrye.jwt.claims.sub")
    private Optional<String> defaultSubClaim;

    @Inject
    @ConfigProperty(name = "smallrye.jwt.path.sub")
    private Optional<String> subPath;

    @Inject
    @ConfigProperty(name = "smallrye.jwt.claims.groups")
    private Optional<String> defaultGroupsClaim;

    @Inject
    @ConfigProperty(name = "smallrye.jwt.path.groups")
    private Optional<String> groupsPath;

    @Inject
    @ConfigProperty(name = "smallrye.jwt.groups-separator", defaultValue = DEFAULT_GROUPS_SEPARATOR)
    private String groupsSeparator;

    @Inject
    @ConfigProperty(name = "smallrye.jwt.expiration.grace", defaultValue = "0")
    @Deprecated
    private int expGracePeriodSecs;

    @Inject
    @ConfigProperty(name = "smallrye.jwt.time-to-live")
    Optional<Long> maxTimeToLiveSecs;

    @Inject
    @ConfigProperty(name = "smallrye.jwt.jwks.refresh-interval", defaultValue = "60")
    private int jwksRefreshInterval;

    @Inject
    @ConfigProperty(name = "smallrye.jwt.jwks.forced-refresh-interval", defaultValue = "30")
    private int forcedJwksRefreshInterval;

    @Inject
    @ConfigProperty(name = "smallrye.jwt.verify.algorithm")
    private Optional<SignatureAlgorithm> signatureAlgorithm;

    @Inject
    @ConfigProperty(name = "smallrye.jwt.verify.certificateThumbprint", defaultValue = "false")
    private boolean verifyCertificateThumbprint;

    @Inject
    @ConfigProperty(name = "smallrye.jwt.verify.key-format", defaultValue = "ANY")
    private KeyFormat keyFormat;

    @Inject
    @ConfigProperty(name = "smallrye.jwt.verify.key-provider", defaultValue = "DEFAULT")
    private KeyProvider keyProvider;

    @Inject
    @ConfigProperty(name = "smallrye.jwt.key-cache-size", defaultValue = "100")
    private int keyCacheSize;

    @Inject
    @ConfigProperty(name = "smallrye.jwt.key-cache-time-to-live", defaultValue = "10")
    private int keyCacheTimeToLive;

    @Inject
    @ConfigProperty(name = "smallrye.jwt.verify.aud")
    @Deprecated
    Optional<Set<String>> expectedAudience;

    @Inject
    @ConfigProperty(name = "smallrye.jwt.required.claims")
    Optional<Set<String>> requiredClaims;

    @Inject
    @ConfigProperty(name = "smallrye.jwt.client.tls.certificate")
    private Optional<String> tlsCertificate;

    @Inject
    @ConfigProperty(name = "smallrye.jwt.client.tls.certificate.path")
    private Optional<String> tlsCertificatePath;

    @Inject
    @ConfigProperty(name = "smallrye.jwt.client.tls.trust-all", defaultValue = "false")
    private boolean tlsTrustAll;

    @Inject
    @ConfigProperty(name = "smallrye.jwt.client.tls.hosts")
    private Optional<Set<String>> tlsTrustedHosts;

    @Inject
    @ConfigProperty(name = "smallrye.jwt.http.proxy.host")
    private Optional<String> httpProxyHost;

    @Inject
    @ConfigProperty(name = "mp.jwt.verify.publickey.algorithm", defaultValue = "RS256")
    private Set<SignatureAlgorithm> mpJwtPublicKeyAlgorithm = Set.of(SignatureAlgorithm.RS256);

    @Inject
    @ConfigProperty(name = "mp.jwt.decrypt.key.algorithm", defaultValue = "RSA_OAEP,RSA_OAEP_256")
    private Set<KeyEncryptionAlgorithm> mpJwtDecryptKeyAlgorithm = new HashSet(Arrays.asList(KeyEncryptionAlgorithm.RSA_OAEP, KeyEncryptionAlgorithm.RSA_OAEP_256));

    @Inject
    @ConfigProperty(name = "smallrye.jwt.require.named-principal", defaultValue = "true")
    private Optional<Boolean> requireNamedPrincipal = Optional.of(Boolean.TRUE);

    @Inject
    @ConfigProperty(name = "smallrye.jwt.verify.relax-key-validation", defaultValue = "true")
    private boolean relaxVerificationKeyValidation = true;

    @Inject
    @ConfigProperty(name = "smallrye.jwt.http.proxy.port", defaultValue = "80")
    private int httpProxyPort = 80;

    @ConfigProperty(name = "smallrye.jwt.keystore.type")
    private Optional<String> keyStoreType = Optional.empty();

    @ConfigProperty(name = "smallrye.jwt.keystore.provider")
    private Optional<String> keyStoreProvider = Optional.empty();

    @ConfigProperty(name = "smallrye.jwt.keystore.password")
    private Optional<String> keyStorePassword = Optional.empty();

    @ConfigProperty(name = "smallrye.jwt.keystore.verify.key.alias")
    private Optional<String> keyStoreVerifyKeyAlias = Optional.empty();

    @ConfigProperty(name = "smallrye.jwt.keystore.decrypt.key.alias")
    private Optional<String> keyStoreDecryptKeyAlias = Optional.empty();

    @ConfigProperty(name = "smallrye.jwt.keystore.decrypt.key.password")
    private Optional<String> keyStoreDecryptKeyPassword = Optional.empty();

    @ConfigProperty(name = "smallrye.jwt.resolve-remote-keys-at-startup", defaultValue = "false")
    private boolean fetchRemoteKeysOnStartup = false;

    public static JWTAuthContextInfoProvider createWithKey(String str, String str2) {
        return create(str, NONE, false, false, str2, Optional.empty());
    }

    public static JWTAuthContextInfoProvider createWithDecryptionKey(String str, String str2) {
        return create(NONE, NONE, false, false, str2, Optional.of(str));
    }

    public static JWTAuthContextInfoProvider createWithKeyLocation(String str, String str2) {
        return create(NONE, str, false, false, str2, Optional.empty());
    }

    public static JWTAuthContextInfoProvider createWithCertificate(String str, String str2) {
        return create(NONE, str, false, true, str2, Optional.empty());
    }

    public static JWTAuthContextInfoProvider createWithSecretKeyLocation(String str, String str2) {
        return create(NONE, str, true, false, str2, Optional.empty());
    }

    public static JWTAuthContextInfoProvider createWithVerifyKeyStoreLocation(String str, Optional<String> optional, Optional<String> optional2, Optional<String> optional3, String str2) {
        return create(NONE, str, Optional.empty(), Optional.empty(), optional, optional2, optional3, false, false, str2, Optional.empty());
    }

    public static JWTAuthContextInfoProvider createWithKeyStoreLocation(String str, Optional<String> optional, Optional<String> optional2, Optional<String> optional3, String str2) {
        return create(NONE, str, Optional.empty(), Optional.empty(), optional, optional2, optional3, false, false, str2, Optional.empty());
    }

    public static JWTAuthContextInfoProvider create(String str, String str2, boolean z, boolean z2, String str3, Optional<String> optional) {
        return create(str, str2, Optional.empty(), Optional.empty(), Optional.empty(), Optional.empty(), Optional.empty(), z, z2, str3, optional);
    }

    private static JWTAuthContextInfoProvider create(String str, String str2, Optional<String> optional, Optional<String> optional2, Optional<String> optional3, Optional<String> optional4, Optional<String> optional5, boolean z, boolean z2, String str3, Optional<String> optional6) {
        JWTAuthContextInfoProvider jWTAuthContextInfoProvider = new JWTAuthContextInfoProvider();
        jWTAuthContextInfoProvider.mpJwtPublicKey = !z ? str : NONE;
        jWTAuthContextInfoProvider.jwtSecretKey = z ? str : NONE;
        jWTAuthContextInfoProvider.mpJwtPublicKeyAlgorithm = Set.of(SignatureAlgorithm.RS256);
        jWTAuthContextInfoProvider.mpJwtLocation = (z || optional5.isPresent()) ? NONE : str2;
        jWTAuthContextInfoProvider.verifyKeyLocation = z ? str2 : NONE;
        jWTAuthContextInfoProvider.verifyCertificateThumbprint = z2;
        jWTAuthContextInfoProvider.mpJwtIssuer = str3;
        jWTAuthContextInfoProvider.mpJwtDecryptKeyLocation = optional5.isPresent() ? str2 : NONE;
        jWTAuthContextInfoProvider.jwtDecryptKey = optional6;
        jWTAuthContextInfoProvider.decryptionKeyLocation = NONE;
        jWTAuthContextInfoProvider.mpJwtTokenHeader = Optional.of(AUTHORIZATION_HEADER);
        jWTAuthContextInfoProvider.mpJwtTokenCookie = Optional.of(BEARER_SCHEME);
        jWTAuthContextInfoProvider.tokenHeader = jWTAuthContextInfoProvider.mpJwtTokenHeader;
        jWTAuthContextInfoProvider.tokenCookie = jWTAuthContextInfoProvider.mpJwtTokenCookie;
        jWTAuthContextInfoProvider.tokenKeyId = Optional.empty();
        jWTAuthContextInfoProvider.tokenDecryptionKeyId = Optional.empty();
        jWTAuthContextInfoProvider.tokenSchemes = BEARER_SCHEME;
        jWTAuthContextInfoProvider.requireNamedPrincipal = Optional.of(Boolean.TRUE);
        jWTAuthContextInfoProvider.defaultSubClaim = Optional.empty();
        jWTAuthContextInfoProvider.subPath = Optional.empty();
        jWTAuthContextInfoProvider.defaultGroupsClaim = Optional.empty();
        jWTAuthContextInfoProvider.groupsPath = Optional.empty();
        jWTAuthContextInfoProvider.expGracePeriodSecs = 0;
        jWTAuthContextInfoProvider.maxTimeToLiveSecs = Optional.empty();
        jWTAuthContextInfoProvider.mpJwtVerifyClockSkew = 60;
        jWTAuthContextInfoProvider.mpJwtVerifyTokenAge = Optional.empty();
        jWTAuthContextInfoProvider.jwksRefreshInterval = 60;
        jWTAuthContextInfoProvider.forcedJwksRefreshInterval = 30;
        jWTAuthContextInfoProvider.signatureAlgorithm = Optional.of(SignatureAlgorithm.RS256);
        jWTAuthContextInfoProvider.keyEncryptionAlgorithm = Optional.empty();
        jWTAuthContextInfoProvider.mpJwtDecryptKeyAlgorithm = new HashSet(Arrays.asList(KeyEncryptionAlgorithm.RSA_OAEP, KeyEncryptionAlgorithm.RSA_OAEP_256));
        jWTAuthContextInfoProvider.keyFormat = KeyFormat.ANY;
        jWTAuthContextInfoProvider.keyProvider = KeyProvider.DEFAULT;
        jWTAuthContextInfoProvider.mpJwtVerifyAudiences = Optional.empty();
        jWTAuthContextInfoProvider.expectedAudience = Optional.empty();
        jWTAuthContextInfoProvider.groupsSeparator = DEFAULT_GROUPS_SEPARATOR;
        jWTAuthContextInfoProvider.requiredClaims = Optional.empty();
        jWTAuthContextInfoProvider.tlsCertificate = Optional.empty();
        jWTAuthContextInfoProvider.tlsCertificatePath = Optional.empty();
        jWTAuthContextInfoProvider.tlsTrustedHosts = Optional.empty();
        jWTAuthContextInfoProvider.httpProxyHost = Optional.empty();
        jWTAuthContextInfoProvider.httpProxyPort = 80;
        jWTAuthContextInfoProvider.keyStoreType = optional;
        jWTAuthContextInfoProvider.keyStoreProvider = optional2;
        jWTAuthContextInfoProvider.keyStorePassword = optional3;
        jWTAuthContextInfoProvider.keyStoreVerifyKeyAlias = optional4;
        jWTAuthContextInfoProvider.keyStoreDecryptKeyAlias = optional5;
        jWTAuthContextInfoProvider.keyStoreDecryptKeyPassword = Optional.empty();
        return jWTAuthContextInfoProvider;
    }

    @Produces
    Optional<JWTAuthContextInfo> getOptionalContextInfo() {
        InputStream resourceStream;
        String str;
        Set<KeyEncryptionAlgorithm> set;
        String str2 = !NONE.equals(this.verifyKeyLocation) ? this.verifyKeyLocation : this.mpJwtLocation;
        JWTAuthContextInfo jWTAuthContextInfo = new JWTAuthContextInfo();
        if (this.mpJwtIssuer != null && !this.mpJwtIssuer.equals(NONE)) {
            jWTAuthContextInfo.setIssuedBy(this.mpJwtIssuer.trim());
        }
        boolean z = !NONE.equals(this.mpJwtPublicKey);
        boolean z2 = !NONE.equals(this.jwtSecretKey);
        boolean z3 = !NONE.equals(str2);
        if (z) {
            jWTAuthContextInfo.setPublicKeyContent(this.mpJwtPublicKey);
            if (z3 || z2) {
                ConfigLogging.log.publicKeyConfiguredButOtherKeyPropertiesAreAlsoUsed();
            }
        } else if (z2) {
            jWTAuthContextInfo.setSecretKeyContent(this.jwtSecretKey);
            if (z3) {
                ConfigLogging.log.secretKeyConfiguredButKeyLocationIsAlsoUsed();
            }
        } else if (z3) {
            String trim = str2.trim();
            if (trim.startsWith("http")) {
                if (this.fetchRemoteKeysOnStartup) {
                    try {
                        resourceStream = ResourceUtils.getResourceStream(trim);
                        if (resourceStream != null) {
                            try {
                                jWTAuthContextInfo.setPublicKeyContent(new String(ResourceUtils.readBytes(resourceStream)));
                                if (resourceStream != null) {
                                    resourceStream.close();
                                }
                                if (jWTAuthContextInfo.getPublicKeyContent() == null) {
                                    throw ConfigMessages.msg.invalidPublicKeyLocation();
                                }
                            } finally {
                            }
                        }
                    } catch (Exception e) {
                        throw ConfigMessages.msg.readingPublicKeyLocationFailed(e);
                    }
                } else {
                    jWTAuthContextInfo.setPublicKeyLocation(trim);
                }
            } else if (isPublicKeyInKeystore()) {
                try {
                    jWTAuthContextInfo.setPublicVerificationKey(getVerificationKeyFromKeystore(trim));
                } catch (Exception e2) {
                    throw ConfigMessages.msg.readingPublicKeyLocationFailed(e2);
                }
            } else {
                try {
                    jWTAuthContextInfo.setPublicKeyContent(ResourceUtils.readResource(trim));
                    if (jWTAuthContextInfo.getPublicKeyContent() == null) {
                        throw ConfigMessages.msg.invalidPublicKeyLocation();
                    }
                } catch (IOException e3) {
                    throw ConfigMessages.msg.readingPublicKeyLocationFailed(e3);
                }
            }
        } else if (isPublicKeyInKeystore()) {
            try {
                jWTAuthContextInfo.setPublicVerificationKey(getVerificationKeyFromKeystore(null));
            } catch (Exception e4) {
                throw ConfigMessages.msg.readingPublicKeyLocationFailed(e4);
            }
        }
        if (!NONE.equals(this.mpJwtDecryptKeyLocation)) {
            str = this.mpJwtDecryptKeyLocation;
        } else if (NONE.equals(this.decryptionKeyLocation)) {
            str = NONE;
        } else {
            ConfigLogging.log.replacedConfig("smallrye.jwt.decrypt.key.location", "mp.jwt.decrypt.key.location");
            str = this.decryptionKeyLocation;
        }
        if (this.jwtDecryptKey.isPresent()) {
            jWTAuthContextInfo.setDecryptionKeyContent(this.jwtDecryptKey.get());
        } else if (!NONE.equals(str)) {
            String trim2 = str.trim();
            if (trim2.startsWith("http")) {
                if (this.fetchRemoteKeysOnStartup) {
                    try {
                        resourceStream = ResourceUtils.getResourceStream(trim2);
                        if (resourceStream != null) {
                            try {
                                jWTAuthContextInfo.setDecryptionKeyContent(new String(ResourceUtils.readBytes(resourceStream)));
                                if (resourceStream != null) {
                                    resourceStream.close();
                                }
                                if (jWTAuthContextInfo.getDecryptionKeyContent() == null) {
                                    throw ConfigMessages.msg.invalidDecryptKeyLocation();
                                }
                            } finally {
                                if (resourceStream != null) {
                                    try {
                                        resourceStream.close();
                                    } catch (Throwable th) {
                                        th.addSuppressed(th);
                                    }
                                }
                            }
                        }
                    } catch (Exception e5) {
                        throw ConfigMessages.msg.readingDecryptKeyLocationFailed(e5);
                    }
                } else {
                    jWTAuthContextInfo.setDecryptionKeyLocation(trim2);
                }
            } else if (isPrivateKeyInKeystore()) {
                try {
                    jWTAuthContextInfo.setPrivateDecryptionKey(getDecryptionKeyFromKeystore(trim2));
                } catch (Exception e6) {
                    throw ConfigMessages.msg.readingDecryptKeyLocationFailed(e6);
                }
            } else {
                try {
                    jWTAuthContextInfo.setDecryptionKeyContent(ResourceUtils.readResource(trim2));
                    if (jWTAuthContextInfo.getDecryptionKeyContent() == null) {
                        throw ConfigMessages.msg.invalidDecryptKeyLocation();
                    }
                } catch (IOException e7) {
                    throw ConfigMessages.msg.readingDecryptKeyLocationFailed(e7);
                }
            }
        } else if (isPrivateKeyInKeystore()) {
            try {
                jWTAuthContextInfo.setPrivateDecryptionKey(getDecryptionKeyFromKeystore(null));
            } catch (Exception e8) {
                throw ConfigMessages.msg.readingDecryptKeyLocationFailed(e8);
            }
        }
        if (this.mpJwtTokenHeader.isPresent()) {
            jWTAuthContextInfo.setTokenHeader(this.mpJwtTokenHeader.get());
        } else if (this.tokenHeader.isPresent()) {
            ConfigLogging.log.replacedConfig("smallrye.jwt.token.header", "mp.jwt.token.header");
            jWTAuthContextInfo.setTokenHeader(this.tokenHeader.get());
        } else {
            jWTAuthContextInfo.setTokenHeader(AUTHORIZATION_HEADER);
        }
        if (this.mpJwtTokenCookie.isPresent()) {
            SmallryeJwtUtils.setContextTokenCookie(jWTAuthContextInfo, this.mpJwtTokenCookie);
        } else if (this.tokenCookie.isPresent()) {
            ConfigLogging.log.replacedConfig("smallrye.jwt.token.cookie", "mp.jwt.token.cookie");
            SmallryeJwtUtils.setContextTokenCookie(jWTAuthContextInfo, this.tokenCookie);
        } else {
            SmallryeJwtUtils.setContextTokenCookie(jWTAuthContextInfo, Optional.of(BEARER_SCHEME));
        }
        if (this.expGracePeriodSecs > 0) {
            ConfigLogging.log.replacedConfig("smallrye.jwt.expiration.grace", "mp.jwt.verify.clock.skew");
            jWTAuthContextInfo.setClockSkew(this.expGracePeriodSecs);
        } else if (this.mpJwtVerifyClockSkew > 0) {
            jWTAuthContextInfo.setClockSkew(this.mpJwtVerifyClockSkew);
        }
        jWTAuthContextInfo.setAlwaysCheckAuthorization(this.alwaysCheckAuthorization);
        jWTAuthContextInfo.setTokenKeyId(this.tokenKeyId.orElse(null));
        jWTAuthContextInfo.setTokenDecryptionKeyId(this.tokenDecryptionKeyId.orElse(null));
        jWTAuthContextInfo.setRequireNamedPrincipal(this.requireNamedPrincipal.orElse(null).booleanValue());
        SmallryeJwtUtils.setTokenSchemes(jWTAuthContextInfo, this.tokenSchemes);
        jWTAuthContextInfo.setDefaultSubjectClaim(this.defaultSubClaim.orElse(null));
        SmallryeJwtUtils.setContextSubPath(jWTAuthContextInfo, this.subPath);
        jWTAuthContextInfo.setDefaultGroupsClaim(this.defaultGroupsClaim.orElse(null));
        jWTAuthContextInfo.setTlsCertificate(this.tlsCertificate.orElse(null));
        jWTAuthContextInfo.setTlsCertificatePath(this.tlsCertificatePath.orElse(null));
        jWTAuthContextInfo.setTlsTrustedHosts(this.tlsTrustedHosts.orElse(null));
        jWTAuthContextInfo.setTlsTrustAll(this.tlsTrustAll);
        jWTAuthContextInfo.setHttpProxyHost(this.httpProxyHost.orElse(null));
        jWTAuthContextInfo.setHttpProxyPort(this.httpProxyPort);
        SmallryeJwtUtils.setContextGroupsPath(jWTAuthContextInfo, this.groupsPath);
        jWTAuthContextInfo.setMaxTimeToLiveSecs(this.maxTimeToLiveSecs.orElse(null));
        jWTAuthContextInfo.setTokenAge(this.mpJwtVerifyTokenAge.orElse(null));
        jWTAuthContextInfo.setJwksRefreshInterval(Integer.valueOf(this.jwksRefreshInterval));
        jWTAuthContextInfo.setForcedJwksRefreshInterval(this.forcedJwksRefreshInterval);
        Set<SignatureAlgorithm> set2 = this.mpJwtPublicKeyAlgorithm;
        if (this.signatureAlgorithm.isPresent()) {
            if (!this.signatureAlgorithm.get().getAlgorithm().startsWith("HS")) {
                ConfigLogging.log.replacedConfig("smallrye.jwt.verify.algorithm", "mp.jwt.verify.publickey.algorithm");
            } else if (!NONE.equals(str2) && str2 == this.mpJwtLocation) {
                throw ConfigMessages.msg.hmacNotSupported();
            }
            set2 = Set.of(this.signatureAlgorithm.get());
        }
        checkKeyFormat(set2);
        jWTAuthContextInfo.setSignatureAlgorithm(set2);
        if (this.keyEncryptionAlgorithm.isEmpty()) {
            set = this.mpJwtDecryptKeyAlgorithm;
        } else {
            ConfigLogging.log.replacedConfig("smallrye.jwt.decrypt.algorithm", "mp.jwt.decrypt.key.algorithm");
            set = Collections.singleton(this.keyEncryptionAlgorithm.get());
        }
        jWTAuthContextInfo.setKeyEncryptionAlgorithm(set);
        jWTAuthContextInfo.setKeyFormat(this.keyFormat);
        jWTAuthContextInfo.setKeyProvider(this.keyProvider);
        jWTAuthContextInfo.setKeyCacheSize(this.keyCacheSize);
        jWTAuthContextInfo.setKeyCacheTimeToLive(this.keyCacheTimeToLive);
        if (this.mpJwtVerifyAudiences.isPresent()) {
            jWTAuthContextInfo.setExpectedAudience(this.mpJwtVerifyAudiences.get());
        } else if (this.expectedAudience.isPresent()) {
            ConfigLogging.log.replacedConfig("smallrye.jwt.verify.aud", "mp.jwt.verify.audiences");
            jWTAuthContextInfo.setExpectedAudience(this.expectedAudience.get());
        } else {
            jWTAuthContextInfo.setExpectedAudience(null);
        }
        jWTAuthContextInfo.setGroupsSeparator(this.groupsSeparator);
        jWTAuthContextInfo.setRequiredClaims(this.requiredClaims.orElse(null));
        jWTAuthContextInfo.setRelaxVerificationKeyValidation(this.relaxVerificationKeyValidation);
        jWTAuthContextInfo.setVerifyCertificateThumbprint(this.verifyCertificateThumbprint);
        return Optional.of(jWTAuthContextInfo);
    }

    private void checkKeyFormat(Set<SignatureAlgorithm> set) {
        if (set.size() > 1) {
            if (this.keyFormat.equals(KeyFormat.PEM_KEY) || this.keyFormat.equals(KeyFormat.PEM_CERTIFICATE)) {
                ConfigMessages.msg.singleSignatureAlgorithmForPemOnly();
            }
        }
    }

    private PublicKey getVerificationKeyFromKeystore(String str) throws Exception {
        return KeyUtils.loadKeyStore(str, this.keyStorePassword.get(), this.keyStoreType, this.keyStoreProvider).getCertificate(this.keyStoreVerifyKeyAlias.get()).getPublicKey();
    }

    private PrivateKey getDecryptionKeyFromKeystore(String str) throws Exception {
        return (PrivateKey) KeyUtils.loadKeyStore(str, this.keyStorePassword.get(), this.keyStoreType, this.keyStoreProvider).getKey(this.keyStoreDecryptKeyAlias.get(), this.keyStoreDecryptKeyPassword.orElse(this.keyStorePassword.get()).toCharArray());
    }

    private boolean isPublicKeyInKeystore() {
        return this.keyStorePassword.isPresent() && this.keyStoreVerifyKeyAlias.isPresent();
    }

    private boolean isPrivateKeyInKeystore() {
        return this.keyStorePassword.isPresent() && this.keyStoreDecryptKeyAlias.isPresent();
    }

    @ApplicationScoped
    @Produces
    public JWTAuthContextInfo getContextInfo() {
        return getOptionalContextInfo().get();
    }
}
