package org.apache.knox.gateway.services.token.impl;

import com.nimbusds.jose.JOSEException;
import com.nimbusds.jose.JOSEObjectType;
import com.nimbusds.jose.JWSAlgorithm;
import com.nimbusds.jose.KeyLengthException;
import com.nimbusds.jose.crypto.MACSigner;
import com.nimbusds.jose.crypto.MACVerifier;
import com.nimbusds.jose.crypto.RSASSASigner;
import com.nimbusds.jose.crypto.RSASSAVerifier;
import com.nimbusds.jose.jwk.source.RemoteJWKSet;
import com.nimbusds.jose.proc.BadJOSEException;
import com.nimbusds.jose.proc.DefaultJOSEObjectTypeVerifier;
import com.nimbusds.jose.proc.JWSVerificationKeySelector;
import com.nimbusds.jose.proc.SecurityContext;
import com.nimbusds.jwt.proc.DefaultJWTClaimsVerifier;
import com.nimbusds.jwt.proc.DefaultJWTProcessor;
import java.net.MalformedURLException;
import java.net.URL;
import java.nio.charset.StandardCharsets;
import java.security.Key;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.PublicKey;
import java.security.UnrecoverableKeyException;
import java.security.cert.Certificate;
import java.security.interfaces.RSAPrivateKey;
import java.security.interfaces.RSAPublicKey;
import java.text.ParseException;
import java.util.Arrays;
import java.util.HashSet;
import java.util.Map;
import java.util.Optional;
import java.util.Set;
import org.apache.knox.gateway.GatewayResources;
import org.apache.knox.gateway.config.GatewayConfig;
import org.apache.knox.gateway.i18n.messages.MessagesFactory;
import org.apache.knox.gateway.i18n.resources.ResourcesFactory;
import org.apache.knox.gateway.services.Service;
import org.apache.knox.gateway.services.ServiceLifecycleException;
import org.apache.knox.gateway.services.security.AliasService;
import org.apache.knox.gateway.services.security.AliasServiceException;
import org.apache.knox.gateway.services.security.KeystoreService;
import org.apache.knox.gateway.services.security.KeystoreServiceException;
import org.apache.knox.gateway.services.security.token.JWTokenAttributes;
import org.apache.knox.gateway.services.security.token.JWTokenAuthority;
import org.apache.knox.gateway.services.security.token.TokenServiceException;
import org.apache.knox.gateway.services.security.token.TokenUtils;
import org.apache.knox.gateway.services.security.token.impl.JWT;
import org.apache.knox.gateway.services.security.token.impl.JWTToken;

/* loaded from: input_file:org/apache/knox/gateway/services/token/impl/DefaultTokenAuthorityService.class */
public class DefaultTokenAuthorityService implements JWTokenAuthority, Service {
    private static final GatewayResources RESOURCES = (GatewayResources) ResourcesFactory.get(GatewayResources.class);
    private static final TokenAuthorityServiceMessages LOG = (TokenAuthorityServiceMessages) MessagesFactory.get(TokenAuthorityServiceMessages.class);
    private static final Set<String> SUPPORTED_PKI_SIG_ALGS = new HashSet(Arrays.asList("RS256", "RS384", "RS512", "PS256", "PS384", "PS512"));
    private static final Set<String> SUPPORTED_HMAC_SIG_ALGS = new HashSet(Arrays.asList("HS256", "HS384", "HS512"));
    private AliasService aliasService;
    private KeystoreService keystoreService;
    private GatewayConfig config;
    private char[] cachedSigningKeyPassphrase;
    private byte[] cachedSigningHmacSecret;
    private RSAPrivateKey signingKey;
    private Optional<String> cachedSigningKeyID = Optional.empty();

    public void setKeystoreService(KeystoreService keystoreService) {
        this.keystoreService = keystoreService;
    }

    public void setAliasService(AliasService aliasService) {
        this.aliasService = aliasService;
    }

    public JWT issueToken(JWTokenAttributes jWTokenAttributes) throws TokenServiceException {
        String algorithm = jWTokenAttributes.getAlgorithm();
        if (SUPPORTED_HMAC_SIG_ALGS.contains(algorithm)) {
            jWTokenAttributes.setKid((String) null);
            jWTokenAttributes.setJku((String) null);
        } else {
            jWTokenAttributes.setKid(this.cachedSigningKeyID.isPresent() ? this.cachedSigningKeyID.get() : null);
        }
        JWTToken jWTToken = (SUPPORTED_PKI_SIG_ALGS.contains(algorithm) || SUPPORTED_HMAC_SIG_ALGS.contains(algorithm)) ? new JWTToken(jWTokenAttributes) : null;
        if (jWTToken == null) {
            throw new TokenServiceException("Cannot issue token - Unsupported algorithm: " + algorithm);
        }
        if (SUPPORTED_HMAC_SIG_ALGS.contains(algorithm)) {
            signTokenWithHMAC(jWTToken);
        } else {
            signTokenWithRSA(jWTToken, jWTokenAttributes.getSigningKeystoreName(), jWTokenAttributes.getSigningKeystoreAlias(), jWTokenAttributes.getSigningKeystorePassphrase());
        }
        return jWTToken;
    }

    private void signTokenWithRSA(JWT jwt, String str, String str2, char[] cArr) throws TokenServiceException {
        try {
            jwt.sign(new RSASSASigner(getSigningKey(str, str2, cArr), true));
        } catch (KeystoreServiceException e) {
            throw new TokenServiceException(e);
        }
    }

    private RSAPrivateKey getSigningKey(String str, String str2, char[] cArr) throws KeystoreServiceException, TokenServiceException {
        return cArr != null ? (RSAPrivateKey) this.keystoreService.getSigningKey(str, getSigningKeyAlias(str2), getSigningKeyPassphrase(cArr)) : this.signingKey;
    }

    private void signTokenWithHMAC(JWT jwt) throws TokenServiceException {
        try {
            jwt.sign(new MACSigner(getHmacSecret()));
        } catch (KeyLengthException e) {
            throw new TokenServiceException(e);
        }
    }

    private byte[] getHmacSecret() throws TokenServiceException {
        if (this.cachedSigningHmacSecret == null) {
            try {
                char[] passwordFromAliasForGateway = this.aliasService.getPasswordFromAliasForGateway("gateway.signing.hmac.secret");
                this.cachedSigningHmacSecret = passwordFromAliasForGateway == null ? null : new String(passwordFromAliasForGateway).getBytes(StandardCharsets.UTF_8);
            } catch (AliasServiceException e) {
                throw new TokenServiceException(e);
            }
        }
        return this.cachedSigningHmacSecret;
    }

    private char[] getSigningKeyPassphrase(char[] cArr) {
        return cArr != null ? cArr : this.cachedSigningKeyPassphrase;
    }

    private String getSigningKeyAlias() {
        String signingKeyAlias = this.config.getSigningKeyAlias();
        return signingKeyAlias == null ? "gateway-identity" : signingKeyAlias;
    }

    private String getSigningKeyAlias(String str) {
        return str != null ? str : getSigningKeyAlias();
    }

    public boolean verifyToken(JWT jwt) throws TokenServiceException {
        return verifyToken(jwt, null);
    }

    public boolean verifyToken(JWT jwt, RSAPublicKey rSAPublicKey) throws TokenServiceException {
        return SUPPORTED_HMAC_SIG_ALGS.contains(jwt.getSignatureAlgorithm().getName()) ? verifyTokenUsingHMAC(jwt) : verifyTokenUsingRSA(jwt, rSAPublicKey);
    }

    private boolean verifyTokenUsingRSA(JWT jwt, RSAPublicKey rSAPublicKey) throws TokenServiceException {
        Key key = rSAPublicKey;
        if (key == null) {
            try {
                key = this.keystoreService.getSigningKeystore().getCertificate(getSigningKeyAlias()).getPublicKey();
            } catch (KeyStoreException | KeystoreServiceException e) {
                throw new TokenServiceException("Cannot verify token.", e);
            }
        }
        return jwt.verify(new RSASSAVerifier((RSAPublicKey) key));
    }

    private boolean verifyTokenUsingHMAC(JWT jwt) throws TokenServiceException {
        try {
            return jwt.verify(new MACVerifier(getHmacSecret()));
        } catch (JOSEException e) {
            throw new TokenServiceException("Cannot verify token.", e);
        }
    }

    public boolean verifyToken(JWT jwt, String str, String str2, Set<JOSEObjectType> set) throws TokenServiceException {
        boolean z = false;
        if (str2 != null && str != null) {
            try {
                JWSVerificationKeySelector jWSVerificationKeySelector = new JWSVerificationKeySelector(JWSAlgorithm.parse(str2), new RemoteJWKSet(new URL(str)));
                DefaultJWTProcessor defaultJWTProcessor = new DefaultJWTProcessor();
                defaultJWTProcessor.setJWSKeySelector(jWSVerificationKeySelector);
                defaultJWTProcessor.setJWTClaimsSetVerifier(new DefaultJWTClaimsVerifier());
                defaultJWTProcessor.setJWSTypeVerifier(new DefaultJOSEObjectTypeVerifier(set));
                defaultJWTProcessor.process(jwt.toString(), (SecurityContext) null);
                z = true;
            } catch (BadJOSEException | JOSEException | MalformedURLException | ParseException e) {
                throw new TokenServiceException("Cannot verify token.", e);
            }
        }
        return z;
    }

    public void init(GatewayConfig gatewayConfig, Map<String, String> map) throws ServiceLifecycleException {
        if (this.aliasService == null || this.keystoreService == null) {
            throw new ServiceLifecycleException("Alias or Keystore service is not set");
        }
        this.config = gatewayConfig;
    }

    public void start() throws ServiceLifecycleException {
        Certificate certificate;
        try {
            KeyStore signingKeystore = this.keystoreService.getSigningKeystore();
            if (signingKeystore == null) {
                throw new ServiceLifecycleException(RESOURCES.signingKeystoreNotAvailable(this.config.getSigningKeystorePath()));
            }
            try {
                this.cachedSigningKeyPassphrase = this.aliasService.getSigningKeyPassphrase();
                if (this.cachedSigningKeyPassphrase == null) {
                    throw new ServiceLifecycleException(RESOURCES.signingKeyPassphraseNotAvailable(this.config.getSigningKeyPassphraseAlias()));
                }
                String signingKeyAlias = getSigningKeyAlias();
                try {
                    certificate = signingKeystore.getCertificate(signingKeyAlias);
                } catch (JOSEException e) {
                    LOG.errorGettingKid(e.toString());
                    this.cachedSigningKeyID = Optional.empty();
                } catch (KeyStoreException e2) {
                    throw new ServiceLifecycleException(RESOURCES.publicSigningKeyNotFound(signingKeyAlias), e2);
                }
                if (certificate == null) {
                    throw new ServiceLifecycleException(RESOURCES.publicSigningKeyNotFound(signingKeyAlias));
                }
                PublicKey publicKey = certificate.getPublicKey();
                if (publicKey == null) {
                    throw new ServiceLifecycleException(RESOURCES.publicSigningKeyNotFound(signingKeyAlias));
                }
                if (!(publicKey instanceof RSAPublicKey)) {
                    throw new ServiceLifecycleException(RESOURCES.publicSigningKeyWrongType(signingKeyAlias));
                }
                this.cachedSigningKeyID = Optional.of(TokenUtils.getThumbprint((RSAPublicKey) publicKey, "SHA-256"));
                try {
                    Key key = signingKeystore.getKey(signingKeyAlias, this.cachedSigningKeyPassphrase);
                    if (key == null) {
                        throw new ServiceLifecycleException(RESOURCES.privateSigningKeyNotFound(signingKeyAlias));
                    }
                    if (!(key instanceof RSAPrivateKey)) {
                        throw new ServiceLifecycleException(RESOURCES.privateSigningKeyWrongType(signingKeyAlias));
                    }
                    this.signingKey = (RSAPrivateKey) key;
                } catch (KeyStoreException | NoSuchAlgorithmException | UnrecoverableKeyException e3) {
                    throw new ServiceLifecycleException(RESOURCES.privateSigningKeyNotFound(signingKeyAlias), e3);
                }
            } catch (AliasServiceException e4) {
                throw new ServiceLifecycleException(RESOURCES.signingKeyPassphraseNotAvailable(this.config.getSigningKeyPassphraseAlias()), e4);
            }
        } catch (KeystoreServiceException e5) {
            throw new ServiceLifecycleException(RESOURCES.signingKeystoreNotAvailable(this.config.getSigningKeystorePath()), e5);
        }
    }

    public void stop() throws ServiceLifecycleException {
    }

    protected Optional<String> getCachedSigningKeyID() {
        return this.cachedSigningKeyID;
    }
}
