package org.apereo.cas.util.cipher;

import java.io.Serializable;
import java.nio.charset.StandardCharsets;
import java.security.Key;
import java.security.PublicKey;
import lombok.Generated;
import org.apache.commons.lang3.StringUtils;
import org.apereo.cas.util.EncodingUtils;
import org.apereo.cas.util.ResourceUtils;
import org.jose4j.jwe.KeyManagementAlgorithmIdentifiers;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:WEB-INF/lib/cas-server-core-util-api-5.3.8.jar:org/apereo/cas/util/cipher/BaseStringCipherExecutor.class */
public abstract class BaseStringCipherExecutor extends AbstractCipherExecutor<Serializable, String> {

    @Generated
    private static final Logger LOGGER = LoggerFactory.getLogger((Class<?>) BaseStringCipherExecutor.class);
    private static final int ENCRYPTION_KEY_SIZE = 256;
    private static final int SIGNING_KEY_SIZE = 512;
    private String encryptionAlgorithm;
    private String contentEncryptionAlgorithmIdentifier;
    private Key secretKeyEncryptionKey;
    private boolean encryptionEnabled;
    private boolean signingEnabled;

    public BaseStringCipherExecutor(String str, String str2, boolean z, boolean z2) {
        this(str, str2, "A128CBC-HS256", z, z2);
    }

    public BaseStringCipherExecutor(String str, String str2, boolean z) {
        this(str, str2, z, true);
    }

    public BaseStringCipherExecutor(String str, String str2, String str3) {
        this(str, str2, str3, true, true);
    }

    public BaseStringCipherExecutor(String str, String str2) {
        this(str, str2, "A128CBC-HS256", true, true);
    }

    public BaseStringCipherExecutor(String str, String str2, String str3, boolean z, boolean z2) {
        this.encryptionAlgorithm = "dir";
        this.encryptionEnabled = true;
        this.signingEnabled = true;
        this.encryptionEnabled = z || StringUtils.isNotBlank(str);
        this.signingEnabled = z2 || StringUtils.isNotBlank(str2);
        if (this.encryptionEnabled) {
            configureEncryptionParameters(str, str3);
        } else {
            LOGGER.warn("Encryption is not enabled for [{}]. The cipher [{}] will only attempt to produce signed objects", getName(), getClass().getSimpleName());
        }
        if (this.signingEnabled) {
            configureSigningParameters(str2);
        } else {
            LOGGER.warn("Signing is not enabled for [{}]. The cipher [{}] will attempt to produce plain objects", getName(), getClass().getSimpleName());
        }
    }

    private void configureSigningParameters(String str) {
        String str2 = str;
        if (StringUtils.isBlank(str2)) {
            LOGGER.warn("Secret key for signing is not defined for [{}]. CAS will attempt to auto-generate the signing key", getName());
            str2 = EncodingUtils.generateJsonWebKey(512);
            LOGGER.warn("Generated signing key [{}] of size [{}] for [{}]. The generated key MUST be added to CAS settings under setting [{}].", str2, 512, getName(), getSigningKeySetting());
        } else {
            LOGGER.debug("Located signing key to use for [{}]", getName());
        }
        configureSigningKey(str2);
    }

    private void configureEncryptionParameters(String str, String str2) {
        String str3 = str;
        if (StringUtils.isBlank(str3)) {
            LOGGER.warn("Secret key for encryption is not defined for [{}]; CAS will attempt to auto-generate the encryption key", getName());
            str3 = EncodingUtils.generateJsonWebKey(256);
            LOGGER.warn("Generated encryption key [{}] of size [{}] for [{}]. The generated key MUST be added to CAS settings under setting [{}].", str3, 256, getName(), getEncryptionKeySetting());
        } else {
            LOGGER.debug("Located encryption key to use for [{}]", getName());
        }
        try {
            try {
                if (ResourceUtils.doesResourceExist(str3)) {
                    configureEncryptionKeyFromPublicKeyResource(str3);
                }
            } catch (Exception e) {
                LOGGER.error(e.getMessage(), (Throwable) e);
                if (this.secretKeyEncryptionKey == null) {
                    LOGGER.debug("Creating encryption key instance based on provided secret key");
                    setSecretKeyEncryptionKey(EncodingUtils.generateJsonWebKey(str3));
                }
                setContentEncryptionAlgorithmIdentifier(str2);
                LOGGER.debug("Initialized cipher encryption sequence via content encryption [{}] and algorithm [{}]", this.contentEncryptionAlgorithmIdentifier, this.encryptionAlgorithm);
            }
        } finally {
            if (this.secretKeyEncryptionKey == null) {
                LOGGER.debug("Creating encryption key instance based on provided secret key");
                setSecretKeyEncryptionKey(EncodingUtils.generateJsonWebKey(str3));
            }
            setContentEncryptionAlgorithmIdentifier(str2);
            LOGGER.debug("Initialized cipher encryption sequence via content encryption [{}] and algorithm [{}]", this.contentEncryptionAlgorithmIdentifier, this.encryptionAlgorithm);
        }
    }

    protected void configureEncryptionKeyFromPublicKeyResource(String str) throws Exception {
        PublicKey extractPublicKeyFromResource = extractPublicKeyFromResource(str);
        LOGGER.debug("Located encryption key resource [{}]", str);
        setSecretKeyEncryptionKey(extractPublicKeyFromResource);
        setEncryptionAlgorithm(KeyManagementAlgorithmIdentifiers.RSA_OAEP_256);
    }

    @Override // org.apereo.cas.CipherExecutor
    public String encode(Serializable serializable, Object[] objArr) {
        String obj = (!this.encryptionEnabled || this.secretKeyEncryptionKey == null) ? serializable.toString() : EncodingUtils.encryptValueAsJwt(this.secretKeyEncryptionKey, serializable, this.encryptionAlgorithm, this.contentEncryptionAlgorithmIdentifier);
        return this.signingEnabled ? new String(sign(obj.getBytes(StandardCharsets.UTF_8)), StandardCharsets.UTF_8) : obj;
    }

    @Override // org.apereo.cas.CipherExecutor
    public String decode(Serializable serializable, Object[] objArr) {
        byte[] bytes = serializable.toString().getBytes(StandardCharsets.UTF_8);
        byte[] verifySignature = this.signingEnabled ? verifySignature(bytes) : bytes;
        if (verifySignature == null || verifySignature.length <= 0) {
            return null;
        }
        String str = new String(verifySignature, StandardCharsets.UTF_8);
        return (!this.encryptionEnabled || this.secretKeyEncryptionKey == null) ? str : EncodingUtils.decryptJwtValue(this.secretKeyEncryptionKey, str);
    }

    protected String getEncryptionKeySetting() {
        return "N/A";
    }

    protected String getSigningKeySetting() {
        return "N/A";
    }

    @Generated
    public BaseStringCipherExecutor() {
        this.encryptionAlgorithm = "dir";
        this.encryptionEnabled = true;
        this.signingEnabled = true;
    }

    @Generated
    public void setEncryptionAlgorithm(String str) {
        this.encryptionAlgorithm = str;
    }

    @Generated
    public void setContentEncryptionAlgorithmIdentifier(String str) {
        this.contentEncryptionAlgorithmIdentifier = str;
    }

    @Generated
    public void setSecretKeyEncryptionKey(Key key) {
        this.secretKeyEncryptionKey = key;
    }

    @Generated
    public void setEncryptionEnabled(boolean z) {
        this.encryptionEnabled = z;
    }

    @Generated
    public void setSigningEnabled(boolean z) {
        this.signingEnabled = z;
    }
}
