package pl.edu.icm.unity.oauth.as;

import com.nimbusds.jose.JOSEException;
import com.nimbusds.jose.JOSEObjectType;
import com.nimbusds.jose.JWSAlgorithm;
import com.nimbusds.jose.JWSHeader;
import com.nimbusds.jose.JWSSigner;
import com.nimbusds.jose.KeyLengthException;
import com.nimbusds.jose.crypto.ECDSASigner;
import com.nimbusds.jose.crypto.MACSigner;
import com.nimbusds.jose.crypto.RSASSASigner;
import com.nimbusds.jose.jwk.Curve;
import com.nimbusds.jwt.JWTClaimsSet;
import com.nimbusds.jwt.SignedJWT;
import com.nimbusds.oauth2.sdk.ParseException;
import com.nimbusds.openid.connect.sdk.claims.IDTokenClaimsSet;
import eu.emi.security.authn.x509.X509Credential;
import eu.unicore.util.configuration.ConfigurationException;
import java.security.PrivateKey;
import java.security.cert.X509Certificate;
import java.security.interfaces.ECPrivateKey;
import java.security.interfaces.RSAPrivateKey;
import pl.edu.icm.unity.base.exceptions.EngineException;
import pl.edu.icm.unity.base.exceptions.InternalException;
import pl.edu.icm.unity.engine.api.PKIManagement;
import pl.edu.icm.unity.oauth.as.token.KeyIdExtractor;

/* loaded from: input_file:pl/edu/icm/unity/oauth/as/TokenSigner.class */
public class TokenSigner {
    private JWSSigner internalSigner;
    private JWSAlgorithm algorithm;
    private X509Credential credential;
    private Curve curve;

    public TokenSigner(OAuthASProperties oAuthASProperties, PKIManagement pKIManagement) {
        String signingAlgorithm = oAuthASProperties.getSigningAlgorithm();
        this.algorithm = JWSAlgorithm.parse(signingAlgorithm);
        if (oAuthASProperties.isOpenIdConnect() || oAuthASProperties.isJWTAccessTokenPossible()) {
            if (JWSAlgorithm.Family.RSA.contains(this.algorithm)) {
                setupCredential(oAuthASProperties, pKIManagement);
                setupRSASigner();
            } else if (JWSAlgorithm.Family.EC.contains(this.algorithm)) {
                setupCredential(oAuthASProperties, pKIManagement);
                setupECSigner(signingAlgorithm);
            } else {
                if (!JWSAlgorithm.Family.HMAC_SHA.contains(this.algorithm)) {
                    throw new ConfigurationException("Unsupported signing algorithm " + signingAlgorithm);
                }
                setupHMACSigner(oAuthASProperties, signingAlgorithm);
            }
        }
    }

    private void setupRSASigner() {
        PrivateKey key = this.credential.getKey();
        if (key == null || !(key instanceof RSAPrivateKey)) {
            throw new ConfigurationException("The private key must be RSA if one of RS signingAlgorithm is used");
        }
        this.internalSigner = new RSASSASigner(key);
    }

    private void setupECSigner(String str) {
        PrivateKey key = this.credential.getKey();
        if (key == null || !(key instanceof ECPrivateKey)) {
            throw new ConfigurationException("The private key must be EC if one of ES signingAlgorithm is used");
        }
        try {
            ECPrivateKey eCPrivateKey = (ECPrivateKey) key;
            this.internalSigner = new ECDSASigner(eCPrivateKey);
            this.curve = Curve.forECParameterSpec(eCPrivateKey.getParams());
            if (!this.internalSigner.supportedJWSAlgorithms().contains(JWSAlgorithm.parse(str))) {
                throw new ConfigurationException("privateKey is not compatible with used ES algorithm");
            }
        } catch (JOSEException e) {
            throw new ConfigurationException("The EC key is incorrect", e);
        }
    }

    private void setupHMACSigner(OAuthASProperties oAuthASProperties, String str) {
        String signingSecret = oAuthASProperties.getSigningSecret();
        if (signingSecret == null || signingSecret.isEmpty()) {
            throw new ConfigurationException("signingSecret is required if one of HS signingAlgorithm is used");
        }
        try {
            this.internalSigner = new MACSigner(oAuthASProperties.getSigningSecret());
            if (!this.internalSigner.supportedJWSAlgorithms().contains(JWSAlgorithm.parse(str))) {
                throw new ConfigurationException("SigningSecret length is too short for the algorithm " + str);
            }
        } catch (KeyLengthException e) {
            throw new ConfigurationException("signingSecret is incorrect", e);
        }
    }

    private void setupCredential(OAuthASProperties oAuthASProperties, PKIManagement pKIManagement) {
        String value = oAuthASProperties.getValue(OAuthASProperties.CREDENTIAL);
        if (value == null) {
            throw new ConfigurationException("Credential configuration is mandatory when one of RS* or ES* algorithms is set for token signing");
        }
        try {
            if (!pKIManagement.getCredentialNames().contains(value)) {
                throw new ConfigurationException("There is no credential named '" + value + "' which is configured in the OAuth endpoint.");
            }
            this.credential = pKIManagement.getCredential(value);
        } catch (EngineException e) {
            throw new ConfigurationException("Can't obtain credential names.", e);
        }
    }

    public boolean isPKIEnabled() {
        return this.internalSigner != null;
    }

    public X509Certificate getCredentialCertificate() {
        if (isPKIEnabled()) {
            return this.credential.getCertificate();
        }
        throw new InternalException("Token signer is not initialized");
    }

    public X509Certificate[] getCredentialCertificateChain() {
        if (isPKIEnabled()) {
            return this.credential.getCertificateChain();
        }
        throw new InternalException("Token signer is not initialized");
    }

    public JWSAlgorithm getSigningAlgorithm() {
        if (isPKIEnabled()) {
            return this.algorithm;
        }
        throw new InternalException("Token signer is not initialized");
    }

    public Curve getCurve() {
        return this.curve;
    }

    public SignedJWT sign(IDTokenClaimsSet iDTokenClaimsSet) throws JOSEException, ParseException {
        return sign(iDTokenClaimsSet.toJWTClaimsSet(), null);
    }

    public SignedJWT sign(JWTClaimsSet jWTClaimsSet, String str) throws JOSEException {
        if (!isPKIEnabled()) {
            throw new InternalException("Token signer is not initialized");
        }
        JWSHeader.Builder builder = new JWSHeader.Builder(this.algorithm);
        if (this.credential != null) {
            builder.keyID(KeyIdExtractor.getKeyId(getCredentialCertificate()));
        }
        if (str != null) {
            builder.type(new JOSEObjectType(str));
        }
        SignedJWT signedJWT = new SignedJWT(builder.build(), jWTClaimsSet);
        signedJWT.sign(this.internalSigner);
        return signedJWT;
    }
}
