package io.helidon.security.jwt;

import io.helidon.common.Errors;
import io.helidon.security.jwt.jwk.Jwk;
import io.helidon.security.jwt.jwk.JwkKeys;
import java.io.StringReader;
import java.nio.charset.StandardCharsets;
import java.util.Arrays;
import java.util.Base64;
import java.util.Collections;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
import javax.json.Json;
import javax.json.JsonObject;
import javax.json.JsonReaderFactory;

/* loaded from: input_file:io/helidon/security/jwt/SignedJwt.class */
public final class SignedJwt {
    private static final Pattern JWT_PATTERN = Pattern.compile("([a-zA-Z0-9/=+]+)\\.([a-zA-Z0-9/=+]+)\\.([a-zA-Z0-9_\\-/=+]*)");
    private static final Base64.Decoder URL_DECODER = Base64.getUrlDecoder();
    private static final Base64.Encoder URL_ENCODER = Base64.getUrlEncoder();
    private static final JsonReaderFactory JSON = Json.createReaderFactory(Collections.emptyMap());
    private final String tokenContent;
    private final JsonObject headerJson;
    private final JsonObject payloadJson;
    private final byte[] signedBytes;
    private final byte[] signature;

    private SignedJwt(String str, JsonObject jsonObject, JsonObject jsonObject2, byte[] bArr, byte[] bArr2) {
        this.tokenContent = str;
        this.headerJson = jsonObject;
        this.payloadJson = jsonObject2;
        this.signedBytes = bArr;
        this.signature = bArr2;
    }

    public static SignedJwt sign(Jwt jwt, JwkKeys jwkKeys) throws JwtException {
        return (SignedJwt) jwt.algorithm().map(str -> {
            return sign(jwt, jwkKeys, str);
        }).orElseGet(() -> {
            return (SignedJwt) jwt.keyId().map(str2 -> {
                return (SignedJwt) jwkKeys.forKeyId(str2).map(jwk -> {
                    return sign(jwt, jwk);
                }).orElseThrow(() -> {
                    return new JwtException("Could not find JWK based on key id. JWT: " + jwt + ", kid: " + str2);
                });
            }).orElseGet(() -> {
                return sign(jwt, Jwk.NONE_JWK);
            });
        });
    }

    public static SignedJwt sign(Jwt jwt, Jwk jwk) throws JwtException {
        JsonObject headerJson = jwt.headerJson();
        JsonObject payloadJson = jwt.payloadJson();
        String str = encode(headerJson.toString()) + "." + encode(payloadJson.toString());
        byte[] bytes = str.getBytes(StandardCharsets.UTF_8);
        byte[] sign = jwk.sign(bytes);
        return new SignedJwt(str + "." + encode(sign), headerJson, payloadJson, bytes, sign);
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static SignedJwt sign(Jwt jwt, JwkKeys jwkKeys, String str) {
        return sign(jwt, (Jwk) jwt.keyId().map(str2 -> {
            return jwkKeys.forKeyId(str2).orElseThrow(() -> {
                return new JwtException("Could not find JWK for kid: " + str2);
            });
        }).orElseGet(() -> {
            if (Jwk.ALG_NONE.equals(str)) {
                return Jwk.NONE_JWK;
            }
            throw new JwtException("JWT defined with signature algorithm " + str + ", yet no key id (kid): " + jwt);
        }));
    }

    public static SignedJwt parseToken(String str) {
        Errors.Collector collector = Errors.collector();
        Matcher matcher = JWT_PATTERN.matcher(str);
        if (!matcher.matches()) {
            throw new JwtException("Not a JWT token: " + str);
        }
        String group = matcher.group(1);
        String group2 = matcher.group(2);
        String group3 = matcher.group(3);
        String decode = decode(group, collector, "JWT header");
        String decode2 = decode(group2, collector, "JWT payload");
        byte[] decodeBytes = decodeBytes(group3, collector, "JWT signature");
        collector.collect().checkValid();
        String str2 = group + "." + group2;
        JsonObject parseJson = parseJson(decode, collector, group, "JWT header");
        JsonObject parseJson2 = parseJson(decode2, collector, group2, "JWT payload");
        collector.collect().checkValid();
        return new SignedJwt(str, parseJson, parseJson2, str2.getBytes(StandardCharsets.UTF_8), decodeBytes);
    }

    private static JsonObject parseJson(String str, Errors.Collector collector, String str2, String str3) {
        try {
            return JSON.createReader(new StringReader(str)).readObject();
        } catch (Exception e) {
            collector.fatal(str2, str3 + " is not a valid JSON object (value is base64 encoded)");
            return null;
        }
    }

    private static String encode(String str) {
        return encode(str.getBytes(StandardCharsets.UTF_8));
    }

    private static String encode(byte[] bArr) {
        return URL_ENCODER.encodeToString(bArr);
    }

    private static String decode(String str, Errors.Collector collector, String str2) {
        try {
            return new String(URL_DECODER.decode(str), StandardCharsets.UTF_8);
        } catch (Exception e) {
            collector.fatal(str, str2 + " is not a base64 encoded string.");
            return null;
        }
    }

    private static byte[] decodeBytes(String str, Errors.Collector collector, String str2) {
        try {
            return URL_DECODER.decode(str);
        } catch (Exception e) {
            collector.fatal(str, str2 + " is not a base64 encoded string.");
            return null;
        }
    }

    public String tokenContent() {
        return this.tokenContent;
    }

    JsonObject headerJson() {
        return this.headerJson;
    }

    JsonObject payloadJson() {
        return this.payloadJson;
    }

    public byte[] getSignedBytes() {
        return Arrays.copyOf(this.signedBytes, this.signedBytes.length);
    }

    public byte[] getSignature() {
        return Arrays.copyOf(this.signature, this.signature.length);
    }

    public Jwt getJwt() {
        return new Jwt(this.headerJson, this.payloadJson);
    }

    public Errors verifySignature(JwkKeys jwkKeys) {
        return verifySignature(jwkKeys, null);
    }

    public Errors verifySignature(JwkKeys jwkKeys, Jwk jwk) {
        Errors.Collector collector = Errors.collector();
        String orElse = JwtUtil.getString(this.headerJson, Jwk.PARAM_ALGORITHM).orElse(null);
        String orElse2 = JwtUtil.getString(this.headerJson, Jwk.PARAM_KEY_ID).orElse(null);
        Jwk jwk2 = null;
        boolean z = false;
        if (null == orElse) {
            if (null == orElse2) {
                if (jwk == null) {
                    z = true;
                    jwk2 = Jwk.NONE_JWK;
                } else {
                    jwk2 = jwk;
                }
                orElse = jwk2.algorithm();
            } else {
                jwk2 = jwkKeys.forKeyId(orElse2).orElse(null);
                if (null == jwk2) {
                    if (null == jwk) {
                        collector.fatal(jwkKeys, "Key for key id: " + orElse2 + " not found");
                    } else {
                        jwk2 = jwk;
                    }
                }
                if (null != jwk2) {
                    orElse = jwk2.algorithm();
                }
            }
        } else if (null != orElse2) {
            jwk2 = jwkKeys.forKeyId(orElse2).orElse(null);
            if (null == jwk2) {
                if (null != jwk && orElse.equals(jwk.algorithm())) {
                    jwk2 = jwk;
                }
                if (null == jwk2) {
                    collector.fatal(jwkKeys, "Key for key id: " + orElse2 + " not found");
                }
            }
        } else if (!Jwk.ALG_NONE.equals(orElse)) {
            jwk2 = jwk;
            if (null == jwk2) {
                collector.fatal("Algorithm is " + orElse + ", yet no kid is defined in JWT header, cannot validate");
            }
        } else if (null == jwk) {
            jwk2 = Jwk.NONE_JWK;
            z = true;
        } else if (!jwk.algorithm().equals(orElse)) {
            collector.fatal("Algorithm is " + orElse + ", default jwk requires " + jwk.algorithm());
        }
        if (null == jwk2) {
            return collector.collect();
        }
        if (z) {
            collector.fatal(jwk2, "None algorithm not allowed, unless specified as the default JWK");
        }
        if (jwk2.algorithm().equals(orElse)) {
            try {
                if (!jwk2.verifySignature(this.signedBytes, this.signature)) {
                    collector.fatal(jwk2, "Signature of JWT token is not valid, based on alg: " + orElse + ", kid: " + orElse2);
                }
            } catch (Exception e) {
                collector.fatal(jwk2, "Failed to verify signature due to an exception: " + e.getClass().getName() + ": " + e.getMessage());
            }
        } else {
            collector.fatal(jwk2, "Algorithm of JWK (" + jwk2.algorithm() + ") does not match algorithm of this JWT (" + orElse + ") for kid: " + orElse2);
        }
        return collector.collect();
    }
}
