package io.vertx.ext.auth.impl.jose;

import io.vertx.core.buffer.Buffer;
import io.vertx.core.impl.logging.Logger;
import io.vertx.core.impl.logging.LoggerFactory;
import io.vertx.core.json.JsonArray;
import io.vertx.core.json.JsonObject;
import io.vertx.ext.auth.JWTOptions;
import io.vertx.ext.auth.NoSuchKeyIdException;
import io.vertx.ext.auth.impl.CertificateHelper;
import java.nio.charset.Charset;
import java.nio.charset.StandardCharsets;
import java.security.InvalidAlgorithmParameterException;
import java.security.InvalidKeyException;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.security.SignatureException;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Base64;
import java.util.Collection;
import java.util.HashSet;
import java.util.List;
import java.util.Map;
import java.util.Random;
import java.util.concurrent.ConcurrentHashMap;
import org.apache.servicecomb.common.rest.codec.param.HeaderProcessorCreator;
import org.hibernate.validator.internal.metadata.core.ConstraintHelper;

/* loaded from: input_file:BOOT-INF/lib/vertx-auth-common-4.1.7.jar:io/vertx/ext/auth/impl/jose/JWT.class */
public final class JWT {
    private static final Logger LOG = LoggerFactory.getLogger((Class<?>) JWT.class);
    private static final Random RND = new Random();
    private static final Charset UTF8 = StandardCharsets.UTF_8;
    private static final Base64.Encoder urlEncoder = Base64.getUrlEncoder().withoutPadding();
    private static final Base64.Decoder urlDecoder = Base64.getUrlDecoder();
    private static final Base64.Decoder decoder = Base64.getDecoder();
    private X509Certificate rootCA;
    private MessageDigest nonceDigest;
    private boolean allowEmbeddedKey = false;
    private final Map<String, List<JWS>> SIGN = new ConcurrentHashMap();
    private final Map<String, List<JWS>> VERIFY = new ConcurrentHashMap();

    public JWT addJWK(JWK jwk) {
        if (jwk.use() == null || "sig".equals(jwk.use())) {
            if (jwk.mac() != null || jwk.publicKey() != null) {
                addJWK(this.VERIFY.computeIfAbsent(jwk.getAlgorithm(), str -> {
                    return new ArrayList();
                }), jwk);
            }
            if (jwk.mac() != null || jwk.privateKey() != null) {
                addJWK(this.SIGN.computeIfAbsent(jwk.getAlgorithm(), str2 -> {
                    return new ArrayList();
                }), jwk);
            }
        } else {
            LOG.warn("JWK skipped: use: sig != " + jwk.use());
        }
        return this;
    }

    public JWT allowEmbeddedKey(boolean z) {
        this.allowEmbeddedKey = z;
        return this;
    }

    public JWT embeddedKeyRootCA(String str) throws CertificateException {
        this.rootCA = JWS.parseX5c(decoder.decode(str.getBytes(UTF8)));
        this.allowEmbeddedKey = true;
        return this;
    }

    public JWT nonceAlgorithm(String str) {
        if (str == null) {
            this.nonceDigest = null;
        } else {
            try {
                this.nonceDigest = MessageDigest.getInstance(str);
            } catch (NoSuchAlgorithmException e) {
                throw new IllegalArgumentException(e);
            }
        }
        return this;
    }

    private void addJWK(List<JWS> list, JWK jwk) {
        boolean z = false;
        int i = 0;
        while (true) {
            if (i >= list.size()) {
                break;
            }
            if (list.get(i).jwk().label().equals(jwk.label())) {
                LOG.info("replacing JWK with label " + jwk.label());
                list.set(i, new JWS(jwk));
                z = true;
                break;
            }
            i++;
        }
        if (z) {
            return;
        }
        list.add(new JWS(jwk));
    }

    public static JsonObject parse(byte[] bArr) {
        return parse(new String(bArr, UTF8));
    }

    public static JsonObject parse(String str) {
        String[] split = str.split("\\.");
        if (split.length < 2 || split.length > 3) {
            throw new RuntimeException("Not enough or too many segments [" + split.length + "]");
        }
        String str2 = split[0];
        String str3 = split[1];
        return new JsonObject().put(HeaderProcessorCreator.PARAMTYPE, new JsonObject(new String(base64urlDecode(str2), UTF8))).put(ConstraintHelper.PAYLOAD, new JsonObject(new String(base64urlDecode(str3), UTF8))).put("signatureBase", str2 + "." + str3).put("signature", split.length == 2 ? null : split[2]);
    }

    public JsonObject decode(String str) {
        return decode(str, false);
    }

    public JsonObject decode(String str, boolean z) {
        String[] split = str.split("\\.");
        if (split.length < 2) {
            throw new IllegalStateException("Invalid format for JWT");
        }
        String str2 = split[0];
        String str3 = split[1];
        String str4 = split.length == 3 ? split[2] : null;
        if ("".equals(str4)) {
            throw new IllegalStateException("Signature is required");
        }
        JsonObject jsonObject = new JsonObject(Buffer.buffer(base64urlDecode(str2)));
        boolean isUnsecure = isUnsecure();
        if (isUnsecure) {
            if (!this.allowEmbeddedKey && split.length != 2) {
                throw new IllegalStateException("JWT is in unsecured mode but token is signed.");
            }
        } else if (!this.allowEmbeddedKey && split.length != 3) {
            throw new IllegalStateException("JWT is in secure mode but token is not signed.");
        }
        JsonObject jsonObject2 = new JsonObject(Buffer.buffer(base64urlDecode(str3)));
        String string = jsonObject.getString("alg");
        if (!isUnsecure && "none".equals(string)) {
            throw new IllegalStateException("Algorithm \"none\" not allowed");
        }
        if (this.allowEmbeddedKey && jsonObject.containsKey("x5c")) {
            if (str4 == null) {
                throw new IllegalStateException("missing signature segment");
            }
            try {
                JsonArray jsonArray = jsonObject.getJsonArray("x5c");
                ArrayList arrayList = new ArrayList();
                if (jsonArray == null || jsonArray.size() == 0) {
                    throw new IllegalStateException("x5c chain is null or empty");
                }
                for (int i = 0; i < jsonArray.size(); i++) {
                    arrayList.add(JWS.parseX5c(decoder.decode(jsonArray.getString(i).getBytes(UTF8))));
                }
                if (this.rootCA != null) {
                    arrayList.add(this.rootCA);
                    CertificateHelper.checkValidity(arrayList, true, null);
                } else {
                    CertificateHelper.checkValidity(arrayList, false, null);
                }
                if (JWS.verifySignature(string, (X509Certificate) arrayList.get(0), base64urlDecode(str4), (str2 + "." + str3).getBytes(UTF8))) {
                    return z ? new JsonObject().put(HeaderProcessorCreator.PARAMTYPE, jsonObject).put(ConstraintHelper.PAYLOAD, jsonObject2) : jsonObject2;
                }
                throw new RuntimeException("Signature verification failed");
            } catch (InvalidAlgorithmParameterException | InvalidKeyException | NoSuchAlgorithmException | NoSuchProviderException | SignatureException | CertificateException e) {
                throw new RuntimeException("Signature verification failed", e);
            }
        }
        if (isUnsecure) {
            return z ? new JsonObject().put(HeaderProcessorCreator.PARAMTYPE, jsonObject).put(ConstraintHelper.PAYLOAD, jsonObject2) : jsonObject2;
        }
        List<JWS> list = this.VERIFY.get(string);
        if (list == null || list.size() == 0) {
            throw new NoSuchKeyIdException(string);
        }
        if (str4 == null) {
            throw new IllegalStateException("missing signature segment");
        }
        byte[] base64urlDecode = base64urlDecode(str4);
        if (this.nonceDigest != null && jsonObject.containsKey("nonce")) {
            synchronized (this) {
                this.nonceDigest.reset();
                jsonObject.put("nonce", this.nonceDigest.digest(jsonObject.getString("nonce").getBytes(StandardCharsets.UTF_8)));
                str2 = urlEncoder.encodeToString(jsonObject.encode().getBytes(StandardCharsets.UTF_8));
            }
        }
        byte[] bytes = (str2 + "." + str3).getBytes(UTF8);
        String string2 = jsonObject.getString("kid");
        boolean z2 = false;
        for (JWS jws : list) {
            if (string2 == null || jws.jwk().getId() == null || string2.equals(jws.jwk().getId())) {
                z2 = true;
                if (jws.verify(base64urlDecode, bytes)) {
                    return z ? new JsonObject().put(HeaderProcessorCreator.PARAMTYPE, jsonObject).put(ConstraintHelper.PAYLOAD, jsonObject2) : jsonObject2;
                }
            }
        }
        if (z2) {
            throw new RuntimeException("Signature verification failed");
        }
        throw new NoSuchKeyIdException(string, string2);
    }

    public String sign(JsonObject jsonObject, JWTOptions jWTOptions) {
        JWS jws;
        String str;
        boolean isUnsecure = isUnsecure();
        String algorithm = jWTOptions.getAlgorithm();
        if (!isUnsecure && "none".equals(algorithm)) {
            throw new IllegalStateException("Algorithm \"none\" not allowed");
        }
        if (isUnsecure) {
            jws = null;
            str = null;
        } else {
            List<JWS> list = this.SIGN.get(algorithm);
            if (list == null || list.size() == 0) {
                throw new RuntimeException("Algorithm not supported/allowed: " + algorithm);
            }
            jws = list.get(list.size() == 1 ? 0 : RND.nextInt(list.size()));
            str = jws.jwk().getId();
        }
        JsonObject put = new JsonObject().mergeIn(jWTOptions.getHeader()).put("typ", "JWT").put("alg", algorithm);
        if (str != null) {
            put.put("kid", str);
        }
        long currentTimeMillis = System.currentTimeMillis() / 1000;
        if (!jWTOptions.isNoTimestamp()) {
            jsonObject.put("iat", jsonObject.getValue("iat", Long.valueOf(currentTimeMillis)));
        }
        if (jWTOptions.getExpiresInSeconds() > 0) {
            jsonObject.put("exp", Long.valueOf(currentTimeMillis + jWTOptions.getExpiresInSeconds()));
        }
        if (jWTOptions.getAudience() != null && jWTOptions.getAudience().size() >= 1) {
            if (jWTOptions.getAudience().size() > 1) {
                jsonObject.put("aud", new JsonArray(jWTOptions.getAudience()));
            } else {
                jsonObject.put("aud", jWTOptions.getAudience().get(0));
            }
        }
        if (jWTOptions.getIssuer() != null) {
            jsonObject.put("iss", jWTOptions.getIssuer());
        }
        if (jWTOptions.getSubject() != null) {
            jsonObject.put("sub", jWTOptions.getSubject());
        }
        String base64urlEncode = base64urlEncode(put.encode());
        String base64urlEncode2 = base64urlEncode(jsonObject.encode());
        if (isUnsecure) {
            return base64urlEncode + "." + base64urlEncode2;
        }
        return base64urlEncode + "." + base64urlEncode2 + "." + base64urlEncode(jws.sign((base64urlEncode + "." + base64urlEncode2).getBytes(UTF8)));
    }

    private static byte[] base64urlDecode(String str) {
        return urlDecoder.decode(str.getBytes(UTF8));
    }

    private static String base64urlEncode(String str) {
        return base64urlEncode(str.getBytes(UTF8));
    }

    private static String base64urlEncode(byte[] bArr) {
        return urlEncoder.encodeToString(bArr);
    }

    public boolean isUnsecure() {
        return this.VERIFY.size() == 0 && this.SIGN.size() == 0;
    }

    public Collection<String> availableAlgorithms() {
        HashSet hashSet = new HashSet();
        hashSet.add("none");
        hashSet.addAll(this.VERIFY.keySet());
        hashSet.addAll(this.SIGN.keySet());
        return hashSet;
    }
}
