package org.apache.kerby.kerberos.provider.token;

import com.nimbusds.jose.EncryptionMethod;
import com.nimbusds.jose.JOSEException;
import com.nimbusds.jose.JWEAlgorithm;
import com.nimbusds.jose.JWEEncrypter;
import com.nimbusds.jose.JWEHeader;
import com.nimbusds.jose.JWEObject;
import com.nimbusds.jose.JWSAlgorithm;
import com.nimbusds.jose.JWSHeader;
import com.nimbusds.jose.JWSSigner;
import com.nimbusds.jose.KeyLengthException;
import com.nimbusds.jose.Payload;
import com.nimbusds.jose.crypto.DirectEncrypter;
import com.nimbusds.jose.crypto.ECDSASigner;
import com.nimbusds.jose.crypto.MACSigner;
import com.nimbusds.jose.crypto.RSAEncrypter;
import com.nimbusds.jose.crypto.RSASSASigner;
import com.nimbusds.jwt.EncryptedJWT;
import com.nimbusds.jwt.JWT;
import com.nimbusds.jwt.SignedJWT;
import java.nio.charset.StandardCharsets;
import java.security.PrivateKey;
import java.security.PublicKey;
import java.security.interfaces.ECPrivateKey;
import java.security.interfaces.RSAPrivateKey;
import java.security.interfaces.RSAPublicKey;
import java.text.ParseException;
import org.apache.kerby.kerberos.kerb.KrbException;
import org.apache.kerby.kerberos.kerb.provider.TokenEncoder;
import org.apache.kerby.kerberos.kerb.type.base.AuthToken;
import org.keycloak.OAuth2Constants;

/* loaded from: input_file:BOOT-INF/lib/token-provider-1.1.1.jar:org/apache/kerby/kerberos/provider/token/JwtTokenEncoder.class */
public class JwtTokenEncoder implements TokenEncoder {
    private JWEAlgorithm jweAlgorithm = JWEAlgorithm.RSA_OAEP_256;
    private EncryptionMethod encryptionMethod = EncryptionMethod.A128GCM;
    private JWSAlgorithm jwsAlgorithm = JWSAlgorithm.RS256;
    private Object encryptionKey;
    private Object signKey;

    @Override // org.apache.kerby.kerberos.kerb.provider.TokenEncoder
    public byte[] encodeAsBytes(AuthToken authToken) throws KrbException {
        return encodeAsString(authToken).getBytes(StandardCharsets.UTF_8);
    }

    @Override // org.apache.kerby.kerberos.kerb.provider.TokenEncoder
    public String encodeAsString(AuthToken authToken) throws KrbException {
        String serialize;
        if (!(authToken instanceof JwtAuthToken)) {
            throw new KrbException("Unexpected AuthToken, not JwtAuthToken");
        }
        JWT jwt = ((JwtAuthToken) authToken).getJwt();
        if (this.signKey != null) {
            JWSSigner createSigner = createSigner();
            try {
                SignedJWT signedJWT = new SignedJWT(new JWSHeader(this.jwsAlgorithm), jwt.getJWTClaimsSet());
                try {
                    signedJWT.sign(createSigner);
                    if (this.encryptionKey != null) {
                        JWEObject jWEObject = new JWEObject(new JWEHeader.Builder(this.jweAlgorithm, this.encryptionMethod).contentType(OAuth2Constants.JWT).build(), new Payload(signedJWT));
                        try {
                            jWEObject.encrypt(createEncryptor());
                            serialize = jWEObject.serialize();
                        } catch (JOSEException e) {
                            throw new KrbException("Failed to encrypt the JWE object", e);
                        }
                    } else {
                        serialize = signedJWT.serialize();
                    }
                } catch (JOSEException e2) {
                    throw new KrbException("Failed to sign the Signed JWT", e2);
                }
            } catch (ParseException e3) {
                throw new KrbException("Failed to get JWT claims set", e3);
            }
        } else if (this.encryptionKey != null) {
            try {
                EncryptedJWT encryptedJWT = new EncryptedJWT(new JWEHeader(this.jweAlgorithm, this.encryptionMethod), jwt.getJWTClaimsSet());
                try {
                    encryptedJWT.encrypt(createEncryptor());
                    serialize = encryptedJWT.serialize();
                } catch (JOSEException e4) {
                    throw new KrbException("Failed to encrypt the encrypted JWT", e4);
                }
            } catch (ParseException e5) {
                throw new KrbException("Failed to get JWT claims set", e5);
            }
        } else {
            serialize = jwt.serialize();
        }
        return serialize;
    }

    private JWSSigner createSigner() throws KrbException {
        if (RSASSASigner.SUPPORTED_ALGORITHMS.contains(this.jwsAlgorithm)) {
            if (this.signKey instanceof RSAPrivateKey) {
                return new RSASSASigner((RSAPrivateKey) this.signKey);
            }
            throw new KrbException("An RSAPrivateKey key must be specified for signature");
        }
        if (ECDSASigner.SUPPORTED_ALGORITHMS.contains(this.jwsAlgorithm)) {
            if (!(this.signKey instanceof ECPrivateKey)) {
                throw new KrbException("A ECPrivateKey key must be specified for signature");
            }
            try {
                return new ECDSASigner((ECPrivateKey) this.signKey);
            } catch (JOSEException e) {
                throw new KrbException(e.getMessage(), e);
            }
        }
        if (!MACSigner.SUPPORTED_ALGORITHMS.contains(this.jwsAlgorithm)) {
            throw new KrbException("An unknown signature algorithm was specified");
        }
        if (!(this.signKey instanceof byte[])) {
            throw new KrbException("A byte[] key must be specified for signature");
        }
        try {
            return new MACSigner((byte[]) this.signKey);
        } catch (KeyLengthException e2) {
            throw new KrbException(e2.getMessage(), e2);
        }
    }

    private JWEEncrypter createEncryptor() throws KrbException, JOSEException {
        if (RSAEncrypter.SUPPORTED_ALGORITHMS.contains(this.jweAlgorithm)) {
            if (this.encryptionKey instanceof RSAPublicKey) {
                return new RSAEncrypter((RSAPublicKey) this.encryptionKey);
            }
            throw new KrbException("An RSAPublicKey key must be specified for encryption");
        }
        if (!DirectEncrypter.SUPPORTED_ALGORITHMS.contains(this.jweAlgorithm)) {
            throw new KrbException("An unknown encryption algorithm was specified");
        }
        if (this.encryptionKey instanceof byte[]) {
            return new DirectEncrypter((byte[]) this.encryptionKey);
        }
        throw new KrbException("A byte[] key must be specified for encryption");
    }

    @Override // org.apache.kerby.kerberos.kerb.provider.TokenEncoder
    public void setEncryptionKey(PublicKey publicKey) {
        this.encryptionKey = publicKey;
    }

    @Override // org.apache.kerby.kerberos.kerb.provider.TokenEncoder
    public void setEncryptionKey(byte[] bArr) {
        if (bArr == null) {
            this.encryptionKey = new byte[0];
        } else {
            this.encryptionKey = bArr.clone();
        }
    }

    @Override // org.apache.kerby.kerberos.kerb.provider.TokenEncoder
    public void setSignKey(PrivateKey privateKey) {
        this.signKey = privateKey;
    }

    @Override // org.apache.kerby.kerberos.kerb.provider.TokenEncoder
    public void setSignKey(byte[] bArr) {
        if (bArr == null) {
            this.signKey = new byte[0];
        } else {
            this.signKey = bArr.clone();
        }
    }

    public JWEAlgorithm getJweAlgorithm() {
        return this.jweAlgorithm;
    }

    public void setJweAlgorithm(JWEAlgorithm jWEAlgorithm) {
        this.jweAlgorithm = jWEAlgorithm;
    }

    public JWSAlgorithm getJwsAlgorithm() {
        return this.jwsAlgorithm;
    }

    public void setJwsAlgorithm(JWSAlgorithm jWSAlgorithm) {
        this.jwsAlgorithm = jWSAlgorithm;
    }

    public EncryptionMethod getEncryptionMethod() {
        return this.encryptionMethod;
    }

    public void setEncryptionMethod(EncryptionMethod encryptionMethod) {
        this.encryptionMethod = encryptionMethod;
    }
}
