package org.mitre.jwt.signer.service.impl;

import com.google.common.base.Strings;
import com.nimbusds.jose.JOSEException;
import com.nimbusds.jose.JWSAlgorithm;
import com.nimbusds.jose.JWSSigner;
import com.nimbusds.jose.JWSVerifier;
import com.nimbusds.jose.crypto.ECDSASigner;
import com.nimbusds.jose.crypto.ECDSAVerifier;
import com.nimbusds.jose.crypto.MACSigner;
import com.nimbusds.jose.crypto.MACVerifier;
import com.nimbusds.jose.crypto.RSASSASigner;
import com.nimbusds.jose.crypto.RSASSAVerifier;
import com.nimbusds.jose.jwk.ECKey;
import com.nimbusds.jose.jwk.JWK;
import com.nimbusds.jose.jwk.OctetSequenceKey;
import com.nimbusds.jose.jwk.RSAKey;
import com.nimbusds.jwt.SignedJWT;
import java.security.NoSuchAlgorithmException;
import java.security.spec.InvalidKeySpecException;
import java.util.Collection;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.Map;
import java.util.UUID;
import org.mitre.jose.keystore.JWKSetKeyStore;
import org.mitre.jwt.signer.service.JWTSigningAndValidationService;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/mitre/jwt/signer/service/impl/DefaultJWTSigningAndValidationService.class */
public class DefaultJWTSigningAndValidationService implements JWTSigningAndValidationService {
    private Map<String, JWSSigner> signers;
    private Map<String, JWSVerifier> verifiers;
    private static final Logger logger = LoggerFactory.getLogger(DefaultJWTSigningAndValidationService.class);
    private String defaultSignerKeyId;
    private JWSAlgorithm defaultAlgorithm;
    private Map<String, JWK> keys;

    public DefaultJWTSigningAndValidationService(Map<String, JWK> map) throws NoSuchAlgorithmException, InvalidKeySpecException {
        this.signers = new HashMap();
        this.verifiers = new HashMap();
        this.keys = new HashMap();
        this.keys = map;
        buildSignersAndVerifiers();
    }

    public DefaultJWTSigningAndValidationService(JWKSetKeyStore jWKSetKeyStore) throws NoSuchAlgorithmException, InvalidKeySpecException {
        this.signers = new HashMap();
        this.verifiers = new HashMap();
        this.keys = new HashMap();
        if (jWKSetKeyStore != null && jWKSetKeyStore.getJwkSet() != null) {
            for (JWK jwk : jWKSetKeyStore.getKeys()) {
                if (Strings.isNullOrEmpty(jwk.getKeyID())) {
                    this.keys.put(UUID.randomUUID().toString(), jwk);
                } else {
                    this.keys.put(jwk.getKeyID(), jwk);
                }
            }
        }
        buildSignersAndVerifiers();
    }

    @Override // org.mitre.jwt.signer.service.JWTSigningAndValidationService
    public String getDefaultSignerKeyId() {
        return this.defaultSignerKeyId;
    }

    public void setDefaultSignerKeyId(String str) {
        this.defaultSignerKeyId = str;
    }

    @Override // org.mitre.jwt.signer.service.JWTSigningAndValidationService
    public JWSAlgorithm getDefaultSigningAlgorithm() {
        return this.defaultAlgorithm;
    }

    public void setDefaultSigningAlgorithmName(String str) {
        this.defaultAlgorithm = JWSAlgorithm.parse(str);
    }

    public String getDefaultSigningAlgorithmName() {
        if (this.defaultAlgorithm != null) {
            return this.defaultAlgorithm.getName();
        }
        return null;
    }

    private void buildSignersAndVerifiers() throws NoSuchAlgorithmException, InvalidKeySpecException {
        for (Map.Entry<String, JWK> entry : this.keys.entrySet()) {
            String key = entry.getKey();
            RSAKey rSAKey = (JWK) entry.getValue();
            try {
                if (rSAKey instanceof RSAKey) {
                    if (rSAKey.isPrivate()) {
                        this.signers.put(key, new RSASSASigner(rSAKey));
                    }
                    this.verifiers.put(key, new RSASSAVerifier(rSAKey));
                } else if (rSAKey instanceof ECKey) {
                    if (rSAKey.isPrivate()) {
                        this.signers.put(key, new ECDSASigner((ECKey) rSAKey));
                    }
                    this.verifiers.put(key, new ECDSAVerifier((ECKey) rSAKey));
                } else if (rSAKey instanceof OctetSequenceKey) {
                    if (rSAKey.isPrivate()) {
                        this.signers.put(key, new MACSigner((OctetSequenceKey) rSAKey));
                    }
                    this.verifiers.put(key, new MACVerifier((OctetSequenceKey) rSAKey));
                } else {
                    logger.warn("Unknown key type: " + rSAKey);
                }
            } catch (JOSEException e) {
                logger.warn("Exception loading signer/verifier", e);
            }
        }
        if (this.defaultSignerKeyId == null && this.keys.size() == 1) {
            setDefaultSignerKeyId(this.keys.keySet().iterator().next());
        }
    }

    @Override // org.mitre.jwt.signer.service.JWTSigningAndValidationService
    public void signJwt(SignedJWT signedJWT) {
        if (getDefaultSignerKeyId() == null) {
            throw new IllegalStateException("Tried to call default signing with no default signer ID set");
        }
        try {
            signedJWT.sign(this.signers.get(getDefaultSignerKeyId()));
        } catch (JOSEException e) {
            logger.error("Failed to sign JWT, error was: ", e);
        }
    }

    @Override // org.mitre.jwt.signer.service.JWTSigningAndValidationService
    public void signJwt(SignedJWT signedJWT, JWSAlgorithm jWSAlgorithm) {
        JWSSigner jWSSigner = null;
        Iterator<JWSSigner> it = this.signers.values().iterator();
        while (true) {
            if (!it.hasNext()) {
                break;
            }
            JWSSigner next = it.next();
            if (next.supportedJWSAlgorithms().contains(jWSAlgorithm)) {
                jWSSigner = next;
                break;
            }
        }
        if (jWSSigner == null) {
            logger.error("No matching algirthm found for alg=" + jWSAlgorithm);
        }
        try {
            signedJWT.sign(jWSSigner);
        } catch (JOSEException e) {
            logger.error("Failed to sign JWT, error was: ", e);
        }
    }

    @Override // org.mitre.jwt.signer.service.JWTSigningAndValidationService
    public boolean validateSignature(SignedJWT signedJWT) {
        for (JWSVerifier jWSVerifier : this.verifiers.values()) {
            try {
            } catch (JOSEException e) {
                logger.error("Failed to validate signature with " + jWSVerifier + " error message: " + e.getMessage());
            }
            if (signedJWT.verify(jWSVerifier)) {
                return true;
            }
        }
        return false;
    }

    @Override // org.mitre.jwt.signer.service.JWTSigningAndValidationService
    public Map<String, JWK> getAllPublicKeys() {
        HashMap hashMap = new HashMap();
        for (String str : this.keys.keySet()) {
            JWK publicJWK = this.keys.get(str).toPublicJWK();
            if (publicJWK != null) {
                hashMap.put(str, publicJWK);
            }
        }
        return hashMap;
    }

    @Override // org.mitre.jwt.signer.service.JWTSigningAndValidationService
    public Collection<JWSAlgorithm> getAllSigningAlgsSupported() {
        HashSet hashSet = new HashSet();
        Iterator<JWSSigner> it = this.signers.values().iterator();
        while (it.hasNext()) {
            hashSet.addAll(it.next().supportedJWSAlgorithms());
        }
        Iterator<JWSVerifier> it2 = this.verifiers.values().iterator();
        while (it2.hasNext()) {
            hashSet.addAll(it2.next().supportedJWSAlgorithms());
        }
        return hashSet;
    }
}
