package org.springframework.security.oauth2.provider.token.store;

import io.jsonwebtoken.JwsHeader;
import java.security.KeyPair;
import java.security.PrivateKey;
import java.security.interfaces.RSAPrivateKey;
import java.security.interfaces.RSAPublicKey;
import java.util.Date;
import java.util.LinkedHashMap;
import java.util.Map;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.springframework.beans.factory.InitializingBean;
import org.springframework.security.crypto.codec.Base64;
import org.springframework.security.jwt.JwtHelper;
import org.springframework.security.jwt.crypto.sign.InvalidSignatureException;
import org.springframework.security.jwt.crypto.sign.MacSigner;
import org.springframework.security.jwt.crypto.sign.RsaSigner;
import org.springframework.security.jwt.crypto.sign.RsaVerifier;
import org.springframework.security.jwt.crypto.sign.SignatureVerifier;
import org.springframework.security.jwt.crypto.sign.Signer;
import org.springframework.security.oauth2.common.DefaultExpiringOAuth2RefreshToken;
import org.springframework.security.oauth2.common.DefaultOAuth2AccessToken;
import org.springframework.security.oauth2.common.DefaultOAuth2RefreshToken;
import org.springframework.security.oauth2.common.ExpiringOAuth2RefreshToken;
import org.springframework.security.oauth2.common.OAuth2AccessToken;
import org.springframework.security.oauth2.common.OAuth2RefreshToken;
import org.springframework.security.oauth2.common.exceptions.InvalidTokenException;
import org.springframework.security.oauth2.common.util.JsonParser;
import org.springframework.security.oauth2.common.util.JsonParserFactory;
import org.springframework.security.oauth2.common.util.RandomValueStringGenerator;
import org.springframework.security.oauth2.provider.OAuth2Authentication;
import org.springframework.security.oauth2.provider.token.AccessTokenConverter;
import org.springframework.security.oauth2.provider.token.DefaultAccessTokenConverter;
import org.springframework.security.oauth2.provider.token.TokenEnhancer;
import org.springframework.util.Assert;

/* loaded from: input_file:BOOT-INF/lib/spring-security-oauth2-2.0.14.RELEASE.jar:org/springframework/security/oauth2/provider/token/store/JwtAccessTokenConverter.class */
public class JwtAccessTokenConverter implements TokenEnhancer, AccessTokenConverter, InitializingBean {
    public static final String TOKEN_ID = "jti";
    public static final String ACCESS_TOKEN_ID = "ati";
    private static final Log logger = LogFactory.getLog(JwtAccessTokenConverter.class);
    private AccessTokenConverter tokenConverter = new DefaultAccessTokenConverter();
    private JsonParser objectMapper = JsonParserFactory.create();
    private String verifierKey = new RandomValueStringGenerator().generate();
    private Signer signer = new MacSigner(this.verifierKey);
    private String signingKey = this.verifierKey;
    private SignatureVerifier verifier;

    public void setAccessTokenConverter(AccessTokenConverter accessTokenConverter) {
        this.tokenConverter = accessTokenConverter;
    }

    public AccessTokenConverter getAccessTokenConverter() {
        return this.tokenConverter;
    }

    @Override // org.springframework.security.oauth2.provider.token.AccessTokenConverter
    public Map<String, ?> convertAccessToken(OAuth2AccessToken oAuth2AccessToken, OAuth2Authentication oAuth2Authentication) {
        return this.tokenConverter.convertAccessToken(oAuth2AccessToken, oAuth2Authentication);
    }

    @Override // org.springframework.security.oauth2.provider.token.AccessTokenConverter
    public OAuth2AccessToken extractAccessToken(String str, Map<String, ?> map) {
        return this.tokenConverter.extractAccessToken(str, map);
    }

    @Override // org.springframework.security.oauth2.provider.token.AccessTokenConverter
    public OAuth2Authentication extractAuthentication(Map<String, ?> map) {
        return this.tokenConverter.extractAuthentication(map);
    }

    public void setVerifier(SignatureVerifier signatureVerifier) {
        this.verifier = signatureVerifier;
    }

    public void setSigner(Signer signer) {
        this.signer = signer;
    }

    public Map<String, String> getKey() {
        LinkedHashMap linkedHashMap = new LinkedHashMap();
        linkedHashMap.put(JwsHeader.ALGORITHM, this.signer.algorithm());
        linkedHashMap.put("value", this.verifierKey);
        return linkedHashMap;
    }

    public void setKeyPair(KeyPair keyPair) {
        PrivateKey privateKey = keyPair.getPrivate();
        Assert.state(privateKey instanceof RSAPrivateKey, "KeyPair must be an RSA ");
        this.signer = new RsaSigner((RSAPrivateKey) privateKey);
        RSAPublicKey rSAPublicKey = (RSAPublicKey) keyPair.getPublic();
        this.verifier = new RsaVerifier(rSAPublicKey);
        this.verifierKey = "-----BEGIN PUBLIC KEY-----\n" + new String(Base64.encode(rSAPublicKey.getEncoded())) + "\n-----END PUBLIC KEY-----";
    }

    public void setSigningKey(String str) {
        Assert.hasText(str);
        String trim = str.trim();
        this.signingKey = trim;
        if (isPublic(trim)) {
            this.signer = new RsaSigner(trim);
            logger.info("Configured with RSA signing key");
        } else {
            this.verifierKey = trim;
            this.signer = new MacSigner(trim);
        }
    }

    private boolean isPublic(String str) {
        return str.startsWith("-----BEGIN");
    }

    public boolean isPublic() {
        return this.signer instanceof RsaSigner;
    }

    public void setVerifierKey(String str) {
        this.verifierKey = str;
    }

    @Override // org.springframework.security.oauth2.provider.token.TokenEnhancer
    public OAuth2AccessToken enhance(OAuth2AccessToken oAuth2AccessToken, OAuth2Authentication oAuth2Authentication) {
        DefaultOAuth2AccessToken defaultOAuth2AccessToken = new DefaultOAuth2AccessToken(oAuth2AccessToken);
        LinkedHashMap linkedHashMap = new LinkedHashMap(oAuth2AccessToken.getAdditionalInformation());
        String value = defaultOAuth2AccessToken.getValue();
        if (linkedHashMap.containsKey("jti")) {
            value = (String) linkedHashMap.get("jti");
        } else {
            linkedHashMap.put("jti", value);
        }
        defaultOAuth2AccessToken.setAdditionalInformation(linkedHashMap);
        defaultOAuth2AccessToken.setValue(encode(defaultOAuth2AccessToken, oAuth2Authentication));
        OAuth2RefreshToken refreshToken = defaultOAuth2AccessToken.getRefreshToken();
        if (refreshToken != null) {
            DefaultOAuth2AccessToken defaultOAuth2AccessToken2 = new DefaultOAuth2AccessToken(oAuth2AccessToken);
            defaultOAuth2AccessToken2.setValue(refreshToken.getValue());
            defaultOAuth2AccessToken2.setExpiration(null);
            try {
                Map<String, Object> parseMap = this.objectMapper.parseMap(JwtHelper.decode(refreshToken.getValue()).getClaims());
                if (parseMap.containsKey("jti")) {
                    defaultOAuth2AccessToken2.setValue(parseMap.get("jti").toString());
                }
            } catch (IllegalArgumentException e) {
            }
            LinkedHashMap linkedHashMap2 = new LinkedHashMap(oAuth2AccessToken.getAdditionalInformation());
            linkedHashMap2.put("jti", defaultOAuth2AccessToken2.getValue());
            linkedHashMap2.put("ati", value);
            defaultOAuth2AccessToken2.setAdditionalInformation(linkedHashMap2);
            DefaultOAuth2RefreshToken defaultOAuth2RefreshToken = new DefaultOAuth2RefreshToken(encode(defaultOAuth2AccessToken2, oAuth2Authentication));
            if (refreshToken instanceof ExpiringOAuth2RefreshToken) {
                Date expiration = ((ExpiringOAuth2RefreshToken) refreshToken).getExpiration();
                defaultOAuth2AccessToken2.setExpiration(expiration);
                defaultOAuth2RefreshToken = new DefaultExpiringOAuth2RefreshToken(encode(defaultOAuth2AccessToken2, oAuth2Authentication), expiration);
            }
            defaultOAuth2AccessToken.setRefreshToken(defaultOAuth2RefreshToken);
        }
        return defaultOAuth2AccessToken;
    }

    public boolean isRefreshToken(OAuth2AccessToken oAuth2AccessToken) {
        return oAuth2AccessToken.getAdditionalInformation().containsKey("ati");
    }

    protected String encode(OAuth2AccessToken oAuth2AccessToken, OAuth2Authentication oAuth2Authentication) {
        try {
            return JwtHelper.encode(this.objectMapper.formatMap(this.tokenConverter.convertAccessToken(oAuth2AccessToken, oAuth2Authentication)), this.signer).getEncoded();
        } catch (Exception e) {
            throw new IllegalStateException("Cannot convert access token to JSON", e);
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public Map<String, Object> decode(String str) {
        try {
            Map<String, Object> parseMap = this.objectMapper.parseMap(JwtHelper.decodeAndVerify(str, this.verifier).getClaims());
            if (parseMap.containsKey("exp") && (parseMap.get("exp") instanceof Integer)) {
                parseMap.put("exp", new Long(((Integer) parseMap.get("exp")).intValue()));
            }
            return parseMap;
        } catch (Exception e) {
            throw new InvalidTokenException("Cannot convert access token to JSON", e);
        }
    }

    @Override // org.springframework.beans.factory.InitializingBean
    public void afterPropertiesSet() throws Exception {
        if (this.verifier != null) {
            return;
        }
        RsaVerifier macSigner = new MacSigner(this.verifierKey);
        try {
            macSigner = new RsaVerifier(this.verifierKey);
        } catch (Exception e) {
            logger.warn("Unable to create an RSA verifier from verifierKey (ignoreable if using MAC)");
        }
        if (this.signer instanceof RsaSigner) {
            byte[] bytes = "test".getBytes();
            try {
                macSigner.verify(bytes, this.signer.sign(bytes));
                logger.info("Signing and verification RSA keys match");
            } catch (InvalidSignatureException e2) {
                logger.error("Signing and verification RSA keys do not match");
            }
        } else if (macSigner instanceof MacSigner) {
            Assert.state(this.signingKey == this.verifierKey, "For MAC signing you do not need to specify the verifier key separately, and if you do it must match the signing key");
        }
        this.verifier = macSigner;
    }
}
