package pl.edu.icm.unity.oauth.as.token;

import com.nimbusds.jose.JWSAlgorithm;
import com.nimbusds.jose.jwk.Curve;
import com.nimbusds.jose.jwk.ECKey;
import com.nimbusds.jose.jwk.JWKSet;
import com.nimbusds.jose.jwk.KeyUse;
import com.nimbusds.jose.jwk.RSAKey;
import com.nimbusds.jose.util.Base64;
import jakarta.ws.rs.GET;
import jakarta.ws.rs.Path;
import jakarta.ws.rs.Produces;
import java.security.cert.CertificateEncodingException;
import java.security.cert.X509Certificate;
import java.security.interfaces.ECPublicKey;
import java.security.interfaces.RSAPublicKey;
import java.util.List;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import pl.edu.icm.unity.base.exceptions.InternalException;
import pl.edu.icm.unity.oauth.as.OAuthASProperties;

@Path(OAuthTokenEndpoint.JWK_PATH)
/* loaded from: input_file:pl/edu/icm/unity/oauth/as/token/KeysResource.class */
public class KeysResource extends BaseOAuthResource {
    private OAuthASProperties config;

    public KeysResource(OAuthASProperties oAuthASProperties) {
        this.config = oAuthASProperties;
    }

    @Produces({"application/jwk-set+json; charset=UTF-8"})
    @Path("/")
    @GET
    public String getKeys() {
        JWKSet jWKSet;
        if (!this.config.getTokenSigner().isPKIEnabled()) {
            return new JWKSet().toString();
        }
        JWSAlgorithm signingAlgorithm = this.config.getTokenSigner().getSigningAlgorithm();
        if (JWSAlgorithm.Family.RSA.contains(signingAlgorithm)) {
            jWKSet = new JWKSet(new RSAKey.Builder((RSAPublicKey) this.config.getTokenSigner().getCredentialCertificate().getPublicKey()).keyUse(KeyUse.SIGNATURE).keyID(KeyIdExtractor.getKeyId(this.config.getTokenSigner().getCredentialCertificate())).x509CertChain(getCertAsX5CAttribute(this.config.getTokenSigner().getCredentialCertificateChain())).build());
        } else if (JWSAlgorithm.Family.EC.contains(signingAlgorithm)) {
            jWKSet = new JWKSet(new ECKey.Builder((Curve) Curve.forJWSAlgorithm(signingAlgorithm).iterator().next(), (ECPublicKey) this.config.getTokenSigner().getCredentialCertificate().getPublicKey()).keyID(KeyIdExtractor.getKeyId(this.config.getTokenSigner().getCredentialCertificate())).keyUse(KeyUse.SIGNATURE).x509CertChain(getCertAsX5CAttribute(this.config.getTokenSigner().getCredentialCertificateChain())).build());
        } else {
            if (!JWSAlgorithm.Family.HMAC_SHA.contains(signingAlgorithm)) {
                throw new InternalException("Unsupported key in certificate, shouldn't happen");
            }
            jWKSet = new JWKSet();
        }
        return jWKSet.toString();
    }

    private List<Base64> getCertAsX5CAttribute(X509Certificate[] x509CertificateArr) {
        return (List) Stream.of((Object[]) x509CertificateArr).map(x509Certificate -> {
            try {
                return Base64.encode(x509Certificate.getEncoded());
            } catch (CertificateEncodingException e) {
                throw new InternalException("Can not encode certificate", e);
            }
        }).collect(Collectors.toList());
    }
}
