package org.forgerock.openidconnect;

import java.security.Key;
import java.security.KeyPair;
import java.security.SignatureException;
import java.security.interfaces.ECPrivateKey;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import org.forgerock.json.JsonValue;
import org.forgerock.json.jose.builders.JwtBuilderFactory;
import org.forgerock.json.jose.builders.SignedJwtBuilderImpl;
import org.forgerock.json.jose.jwe.EncryptionMethod;
import org.forgerock.json.jose.jwe.JweAlgorithm;
import org.forgerock.json.jose.jws.JwsAlgorithm;
import org.forgerock.json.jose.jws.JwsAlgorithmType;
import org.forgerock.json.jose.jws.SigningManager;
import org.forgerock.json.jose.jws.handlers.SigningHandler;
import org.forgerock.json.jose.jwt.Jwt;
import org.forgerock.json.jose.jwt.JwtClaimsSet;
import org.forgerock.oauth2.core.Token;
import org.forgerock.oauth2.core.Utils;
import org.forgerock.oauth2.core.exceptions.ServerException;
import org.forgerock.openam.audit.AuditConstants;
import org.forgerock.openam.oauth2.OAuthProblemException;
import org.forgerock.openam.utils.CollectionUtils;
import org.restlet.Request;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/forgerock/openidconnect/OpenIdConnectToken.class */
public class OpenIdConnectToken extends JsonValue implements Token {
    private static final String KEY_ID_HEADER = "kid";
    private final Logger logger;
    private final JwtBuilderFactory jwtBuilderFactory;
    private final byte[] clientSecret;
    private final KeyPair signingKeyPair;
    private final Key encryptionKey;
    private final String signingAlgorithm;
    private final boolean isIDTokenEncryptionEnabled;
    private final String encryptionAlgorithm;
    private final String encryptionMethod;
    private final String signingKeyId;
    private final String encryptionKeyId;

    public OpenIdConnectToken(String str, String str2, byte[] bArr, KeyPair keyPair, Key key, String str3, String str4, String str5, boolean z, String str6, String str7, String str8, String str9, long j, long j2, long j3, String str10, String str11, String str12, String str13, String str14, List<String> list, String str15, String str16) {
        super(new HashMap());
        this.logger = LoggerFactory.getLogger("OAuth2Provider");
        this.jwtBuilderFactory = new JwtBuilderFactory();
        this.clientSecret = bArr;
        this.signingAlgorithm = str3;
        this.isIDTokenEncryptionEnabled = z;
        this.encryptionAlgorithm = str4;
        this.encryptionMethod = str5;
        this.signingKeyPair = keyPair;
        this.encryptionKey = key;
        this.signingKeyId = str;
        this.encryptionKeyId = str2;
        setIss(str6);
        setSub(str7);
        setAud(str8);
        setAzp(str9);
        setExp(j);
        setIat(j2);
        setAuthTime(j3);
        setNonce(str10);
        setOps(str11);
        setAtHash(str12);
        setCHash(str13);
        setAcr(str14);
        setAmr(list);
        setTokenType("JWTToken");
        setTokenName("id_token");
        set("auditTrackingId", str15);
        setRealm(str16);
    }

    public OpenIdConnectToken(JwtClaimsSet jwtClaimsSet) {
        super(new HashMap());
        this.logger = LoggerFactory.getLogger("OAuth2Provider");
        this.jwtBuilderFactory = new JwtBuilderFactory();
        this.clientSecret = null;
        this.signingAlgorithm = null;
        this.isIDTokenEncryptionEnabled = false;
        this.encryptionAlgorithm = null;
        this.encryptionMethod = null;
        this.signingKeyPair = null;
        this.encryptionKey = null;
        this.signingKeyId = null;
        this.encryptionKeyId = null;
        setClaims(jwtClaimsSet, "iss", "sub", "azp", "nonce", "org.forgerock.openidconnect.ops", "at_hash", "c_hash", "acr", "auditTrackingId", "auth:time", "amr", "realm");
        setAud((String) CollectionUtils.getFirstItem(jwtClaimsSet.getAudience()));
        setTokenType("JWTToken");
        setTokenName("id_token");
    }

    protected void setClaims(JwtClaimsSet jwtClaimsSet, String... strArr) {
        for (String str : strArr) {
            if (jwtClaimsSet.isDefined(str)) {
                put(str, jwtClaimsSet.get(str).getObject());
            }
        }
    }

    private void setRealm(String str) {
        if (Utils.isEmpty(str)) {
            return;
        }
        put("realm", str);
    }

    private void set(String str, String str2) {
        if (Utils.isEmpty(str2)) {
            return;
        }
        put(str, str2);
    }

    private void setIss(String str) {
        set("iss", str);
    }

    private void setSub(String str) {
        set("sub", str);
    }

    private void setAud(String str) {
        set("aud", str);
    }

    private void setAzp(String str) {
        set("azp", str);
    }

    private void setExp(long j) {
        put("exp", Long.valueOf(j));
    }

    private void setIat(long j) {
        put("iat", Long.valueOf(j));
    }

    private void setAuthTime(long j) {
        put("auth:time", Long.valueOf(j));
    }

    private void setNonce(String str) {
        set("nonce", str);
    }

    private void setOps(String str) {
        set("org.forgerock.openidconnect.ops", str);
    }

    private void setAtHash(String str) {
        set("at_hash", str);
    }

    private void setCHash(String str) {
        set("c_hash", str);
    }

    private void setAcr(String str) {
        set("acr", str);
    }

    private void setAmr(List<String> list) {
        put("amr", list);
    }

    private void setTokenType(String str) {
        set("tokenType", str);
    }

    private void setTokenName(String str) {
        set("tokenName", str);
    }

    @Override // org.forgerock.oauth2.core.Token
    public String getTokenId() throws ServerException {
        try {
            return createJwt().build();
        } catch (SignatureException e) {
            this.logger.error("Cant get JWT id", e);
            throw new ServerException("Cant get JWT id");
        }
    }

    @Override // org.forgerock.oauth2.core.Token
    public String getTokenName() {
        return get("tokenName").asString();
    }

    @Override // org.forgerock.oauth2.core.Token
    public Map<String, Object> toMap() throws ServerException {
        HashMap hashMap = new HashMap();
        try {
            hashMap.put("id_token", createJwt());
            return hashMap;
        } catch (SignatureException e) {
            this.logger.error("Cant sign JWT", e);
            throw new ServerException("Cant sign JWT");
        }
    }

    @Override // org.forgerock.oauth2.core.Token
    public Map<String, Object> getTokenInfo() {
        return new HashMap();
    }

    @Override // org.forgerock.oauth2.core.Token
    public JsonValue toJsonValue() {
        return this;
    }

    @Override // org.forgerock.oauth2.core.Token
    public String getAuditTrackingId() {
        return get("auditTrackingId").asString();
    }

    @Override // org.forgerock.oauth2.core.Token
    public AuditConstants.TrackingIdKey getAuditTrackingIdKey() {
        return AuditConstants.TrackingIdKey.OIDC_ID_TOKEN;
    }

    private Jwt createJwt() throws SignatureException {
        JwsAlgorithm valueOf = JwsAlgorithm.valueOf(this.signingAlgorithm);
        if (this.isIDTokenEncryptionEnabled && (Utils.isEmpty(this.encryptionAlgorithm) || Utils.isEmpty(this.encryptionMethod) || this.encryptionKey == null)) {
            this.logger.info("ID Token Encryption not set. algorithm: {}, method: {}", this.encryptionAlgorithm, this.encryptionMethod);
            throw OAuthProblemException.OAuthError.SERVER_ERROR.handle(Request.getCurrent(), "ID Token Encryption not set. algorithm: " + this.encryptionAlgorithm + ", method: " + this.encryptionMethod);
        }
        SigningHandler signingHandler = getSigningHandler(valueOf);
        JwtClaimsSet build = this.jwtBuilderFactory.claims().claims(asMap()).build();
        if (!this.isIDTokenEncryptionEnabled) {
            return createSignedJwt(signingHandler, valueOf, build);
        }
        this.logger.info("ID Token Encryption enabled. algorithm: {}, method: {}", this.encryptionAlgorithm, this.encryptionMethod);
        return createEncryptedJwt(signingHandler, valueOf, build);
    }

    private SigningHandler getSigningHandler(JwsAlgorithm jwsAlgorithm) {
        return JwsAlgorithmType.RSA.equals(jwsAlgorithm.getAlgorithmType()) ? new SigningManager().newRsaSigningHandler(this.signingKeyPair.getPrivate()) : JwsAlgorithmType.ECDSA.equals(jwsAlgorithm.getAlgorithmType()) ? new SigningManager().newEcdsaSigningHandler((ECPrivateKey) this.signingKeyPair.getPrivate()) : new SigningManager().newHmacSigningHandler(this.clientSecret);
    }

    private Jwt createEncryptedJwt(SigningHandler signingHandler, JwsAlgorithm jwsAlgorithm, JwtClaimsSet jwtClaimsSet) {
        return signedJwtBuilder(signingHandler, jwsAlgorithm, jwtClaimsSet).encrypt(this.encryptionKey).headers().alg(JweAlgorithm.parseAlgorithm(this.encryptionAlgorithm)).enc(EncryptionMethod.parseMethod(this.encryptionMethod)).headerIfNotNull(KEY_ID_HEADER, this.encryptionKeyId).done().asJwt();
    }

    private Jwt createSignedJwt(SigningHandler signingHandler, JwsAlgorithm jwsAlgorithm, JwtClaimsSet jwtClaimsSet) {
        return signedJwtBuilder(signingHandler, jwsAlgorithm, jwtClaimsSet).asJwt();
    }

    private SignedJwtBuilderImpl signedJwtBuilder(SigningHandler signingHandler, JwsAlgorithm jwsAlgorithm, JwtClaimsSet jwtClaimsSet) {
        return this.jwtBuilderFactory.jws(signingHandler).headers().alg(jwsAlgorithm).headerIfNotNull(KEY_ID_HEADER, this.signingKeyId).done().claims(jwtClaimsSet);
    }
}
