package org.eclipse.hono.service.auth;

import io.jsonwebtoken.JwtBuilder;
import io.jsonwebtoken.Jwts;
import io.jsonwebtoken.impl.DefaultJwtBuilder;
import io.jsonwebtoken.impl.compression.GzipCompressionCodec;
import io.jsonwebtoken.jackson.io.JacksonSerializer;
import io.jsonwebtoken.security.Keys;
import io.jsonwebtoken.security.SecurityException;
import io.quarkus.runtime.annotations.RegisterForReflection;
import io.vertx.core.Vertx;
import io.vertx.core.json.JsonArray;
import io.vertx.core.json.JsonObject;
import java.security.AlgorithmParameters;
import java.security.GeneralSecurityException;
import java.security.Key;
import java.security.interfaces.ECPublicKey;
import java.security.interfaces.RSAPublicKey;
import java.security.spec.ECGenParameterSpec;
import java.time.Duration;
import java.time.Instant;
import java.time.temporal.TemporalAmount;
import java.util.Base64;
import java.util.Date;
import java.util.Map;
import java.util.Objects;
import java.util.Optional;
import javax.crypto.SecretKey;
import org.eclipse.hono.auth.Authorities;
import org.eclipse.hono.service.auth.JwtSupport;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@RegisterForReflection(targets = {DefaultJwtBuilder.class, JacksonSerializer.class, GzipCompressionCodec.class})
/* loaded from: input_file:org/eclipse/hono/service/auth/JjwtBasedAuthTokenFactory.class */
public final class JjwtBasedAuthTokenFactory extends JwtSupport implements AuthTokenFactory {
    private static final String PROPERTY_JWK_ALG = "alg";
    private static final String PROPERTY_JWK_CRV = "crv";
    private static final String PROPERTY_JWK_E = "e";
    private static final String PROPERTY_JWK_KEY_OPS = "key_ops";
    private static final String PROPERTY_JWK_K = "k";
    private static final String PROPERTY_JWK_KID = "kid";
    private static final String PROPERTY_JWK_KTY = "kty";
    private static final String PROPERTY_JWK_N = "n";
    private static final String PROPERTY_JWK_USE = "use";
    private static final String PROPERTY_JWK_X = "x";
    private static final String PROPERTY_JWK_Y = "y";
    private final JsonObject jwkSet;
    private final SignatureSupportingConfigProperties config;
    private final Duration tokenLifetime;
    private final String signingKeyId;
    private static final Logger LOG = LoggerFactory.getLogger(JjwtBasedAuthTokenFactory.class);
    private static final Map<String, String> CURVE_OID_TO_NIST_NAME = Map.of("1.2.840.10045.3.1.7", "P-256", "1.3.132.0.34", "P-384", "1.3.132.0.35", "P-521");

    public JjwtBasedAuthTokenFactory(Vertx vertx, SignatureSupportingConfigProperties signatureSupportingConfigProperties) {
        super(vertx);
        this.jwkSet = new JsonObject();
        Objects.requireNonNull(signatureSupportingConfigProperties);
        try {
            if (signatureSupportingConfigProperties.getSharedSecret() != null) {
                byte[] bytes = getBytes(signatureSupportingConfigProperties.getSharedSecret());
                this.signingKeyId = addSecretKey(Keys.hmacShaKeyFor(bytes));
                LOG.info("using shared secret [{} bytes] for signing/validating tokens", Integer.valueOf(bytes.length));
            } else {
                if (signatureSupportingConfigProperties.getKeyPath() == null || signatureSupportingConfigProperties.getCertPath() == null) {
                    throw new IllegalArgumentException("configuration does not specify any key material for signing tokens");
                }
                this.signingKeyId = addPrivateKey(signatureSupportingConfigProperties.getKeyPath(), signatureSupportingConfigProperties.getCertPath());
                LOG.info("using key pair [private: {}, cert: {}] for signing/verifying tokens", signatureSupportingConfigProperties.getKeyPath(), signatureSupportingConfigProperties.getCertPath());
            }
            this.tokenLifetime = Duration.ofSeconds(signatureSupportingConfigProperties.getTokenExpiration());
            LOG.info("using token lifetime of {} seconds", Long.valueOf(this.tokenLifetime.getSeconds()));
            this.config = signatureSupportingConfigProperties;
            createJwk();
        } catch (SecurityException e) {
            throw new IllegalArgumentException("failed to create factory for configured key material", e);
        }
    }

    @Override // org.eclipse.hono.service.auth.AuthTokenFactory
    public Duration getTokenLifetime() {
        return this.tokenLifetime;
    }

    private void createJwk() {
        this.jwkSet.put("keys", (JsonArray) getValidatingKeys().stream().map(entry -> {
            JsonObject jsonObject = new JsonObject();
            String str = (String) entry.getKey();
            JwtSupport.KeySpec keySpec = (JwtSupport.KeySpec) entry.getValue();
            jsonObject.put(PROPERTY_JWK_USE, "sig");
            jsonObject.put(PROPERTY_JWK_KEY_OPS, "verify");
            Key key = keySpec.key;
            if (key instanceof SecretKey) {
                jsonObject.put(PROPERTY_JWK_KTY, "oct");
                jsonObject.put(PROPERTY_JWK_K, keySpec.key.getEncoded());
            } else {
                addPublicKey(jsonObject, keySpec);
            }
            jsonObject.put(PROPERTY_JWK_KID, str);
            jsonObject.put(PROPERTY_JWK_ALG, keySpec.algorithm.getValue());
            return jsonObject;
        }).collect(JsonArray::new, (v0, v1) -> {
            v0.add(v1);
        }, (v0, v1) -> {
            v0.addAll(v1);
        }));
        if (LOG.isInfoEnabled()) {
            LOG.info("successfully created JWK set:{}{}", System.lineSeparator(), this.jwkSet.encodePrettily());
        }
    }

    private void addPublicKey(JsonObject jsonObject, JwtSupport.KeySpec keySpec) {
        Key key = keySpec.key;
        if (key instanceof RSAPublicKey) {
            addRsaPublicKey(jsonObject, (RSAPublicKey) key);
        } else {
            Key key2 = keySpec.key;
            if (!(key2 instanceof ECPublicKey)) {
                throw new IllegalArgumentException("unsupported key type [%s], must be RSA or EC".formatted(keySpec.key.getAlgorithm()));
            }
            addEcPublicKey(jsonObject, (ECPublicKey) key2);
        }
        jsonObject.put(PROPERTY_JWK_KTY, keySpec.key.getAlgorithm());
    }

    private void addRsaPublicKey(JsonObject jsonObject, RSAPublicKey rSAPublicKey) {
        Base64.Encoder withoutPadding = Base64.getUrlEncoder().withoutPadding();
        jsonObject.put(PROPERTY_JWK_N, withoutPadding.encodeToString(rSAPublicKey.getModulus().toByteArray()));
        jsonObject.put(PROPERTY_JWK_E, withoutPadding.encodeToString(rSAPublicKey.getPublicExponent().toByteArray()));
    }

    private String getNistCurveName(ECPublicKey eCPublicKey) throws GeneralSecurityException {
        AlgorithmParameters algorithmParameters = AlgorithmParameters.getInstance("EC");
        algorithmParameters.init(eCPublicKey.getParams());
        String name = ((ECGenParameterSpec) algorithmParameters.getParameterSpec(ECGenParameterSpec.class)).getName();
        return (String) Optional.ofNullable(CURVE_OID_TO_NIST_NAME.get(name)).orElseThrow(() -> {
            return new IllegalArgumentException("unsupported curve [%s]".formatted(name));
        });
    }

    private void addEcPublicKey(JsonObject jsonObject, ECPublicKey eCPublicKey) {
        try {
            jsonObject.put(PROPERTY_JWK_CRV, getNistCurveName(eCPublicKey));
            Base64.Encoder withoutPadding = Base64.getUrlEncoder().withoutPadding();
            jsonObject.put(PROPERTY_JWK_X, withoutPadding.encodeToString(eCPublicKey.getW().getAffineX().toByteArray()));
            jsonObject.put(PROPERTY_JWK_Y, withoutPadding.encodeToString(eCPublicKey.getW().getAffineY().toByteArray()));
        } catch (GeneralSecurityException e) {
            throw new IllegalArgumentException("cannot serialize EC based public key", e);
        }
    }

    @Override // org.eclipse.hono.service.auth.AuthTokenFactory
    public String createToken(String str, Authorities authorities) {
        Objects.requireNonNull(str);
        JwtSupport.KeySpec signingKey = getSigningKey(this.signingKeyId);
        JwtBuilder expiration = Jwts.builder().signWith(signingKey.key, signingKey.algorithm).setHeaderParam(PROPERTY_JWK_KID, this.signingKeyId).setIssuer(this.config.getIssuer()).setSubject(str).setExpiration(Date.from(Instant.now().plus((TemporalAmount) this.tokenLifetime)));
        Optional.ofNullable(authorities).map((v0) -> {
            return v0.asMap();
        }).ifPresent(map -> {
            Objects.requireNonNull(expiration);
            map.forEach(expiration::claim);
        });
        Optional ofNullable = Optional.ofNullable(this.config.getAudience());
        Objects.requireNonNull(expiration);
        ofNullable.ifPresent(expiration::setAudience);
        return expiration.compact();
    }

    @Override // org.eclipse.hono.service.auth.AuthTokenFactory
    public JsonObject getValidatingJwkSet() {
        return this.jwkSet;
    }
}
