package org.wso2.carbon.identity.oauth2.authcontext;

import java.security.InvalidKeyException;
import java.security.Key;
import java.security.KeyStoreException;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.security.PrivateKey;
import java.security.Signature;
import java.security.SignatureException;
import java.security.cert.Certificate;
import java.security.cert.CertificateEncodingException;
import java.util.Calendar;
import java.util.Iterator;
import java.util.SortedMap;
import java.util.TreeSet;
import java.util.concurrent.ConcurrentHashMap;
import org.apache.axiom.util.base64.Base64Utils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.wso2.carbon.core.util.KeyStoreManager;
import org.wso2.carbon.identity.core.model.OAuthAppDO;
import org.wso2.carbon.identity.oauth.IdentityOAuthAdminException;
import org.wso2.carbon.identity.oauth.cache.CacheEntry;
import org.wso2.carbon.identity.oauth.cache.CacheKey;
import org.wso2.carbon.identity.oauth.common.exception.InvalidOAuthClientException;
import org.wso2.carbon.identity.oauth.config.OAuthServerConfiguration;
import org.wso2.carbon.identity.oauth.dao.OAuthAppDAO;
import org.wso2.carbon.identity.oauth.internal.OAuthComponentServiceHolder;
import org.wso2.carbon.identity.oauth.util.ClaimCache;
import org.wso2.carbon.identity.oauth.util.ClaimCacheKey;
import org.wso2.carbon.identity.oauth.util.UserClaims;
import org.wso2.carbon.identity.oauth2.IdentityOAuth2Exception;
import org.wso2.carbon.identity.oauth2.dto.AuthorizationContextToken;
import org.wso2.carbon.identity.oauth2.dto.OAuth2TokenValidationRequestDTO;
import org.wso2.carbon.identity.oauth2.dto.OAuth2TokenValidationResponseDTO;
import org.wso2.carbon.user.api.UserStoreException;
import org.wso2.carbon.utils.multitenancy.MultitenantUtils;

/* loaded from: input_file:org/wso2/carbon/identity/oauth2/authcontext/JWTTokenGenerator.class */
public class JWTTokenGenerator implements AuthorizationContextTokenGenerator {
    private static final String API_GATEWAY_ID = "http://wso2.org/gateway";
    private static final String SHA256_WITH_RSA = "SHA256withRSA";
    private static final String NONE = "NONE";
    private ClaimsRetriever claimsRetriever;
    private String signatureAlgorithm;
    private boolean includeClaims;
    private boolean enableSigning;
    private ClaimCache claimsLocalCache;
    private static final Log log = LogFactory.getLog(JWTTokenGenerator.class);
    private static volatile long ttl = -1;
    private static ConcurrentHashMap<Integer, Key> privateKeys = new ConcurrentHashMap<>();
    private static ConcurrentHashMap<Integer, Certificate> publicCerts = new ConcurrentHashMap<>();

    public JWTTokenGenerator() {
        this.signatureAlgorithm = SHA256_WITH_RSA;
        this.includeClaims = true;
        this.enableSigning = true;
        this.claimsLocalCache = ClaimCache.getInstance();
    }

    public JWTTokenGenerator(boolean z, boolean z2) {
        this.signatureAlgorithm = SHA256_WITH_RSA;
        this.includeClaims = true;
        this.enableSigning = true;
        this.includeClaims = z;
        this.enableSigning = z2;
        this.signatureAlgorithm = NONE;
    }

    @Override // org.wso2.carbon.identity.oauth2.authcontext.AuthorizationContextTokenGenerator
    public void init() throws IdentityOAuth2Exception {
        if (this.includeClaims && this.enableSigning) {
            String claimsRetrieverImplClass = OAuthServerConfiguration.getInstance().getClaimsRetrieverImplClass();
            this.signatureAlgorithm = OAuthServerConfiguration.getInstance().getSignatureAlgorithm();
            if (this.signatureAlgorithm == null || (!this.signatureAlgorithm.equals(NONE) && !this.signatureAlgorithm.equals(SHA256_WITH_RSA))) {
                this.signatureAlgorithm = SHA256_WITH_RSA;
            }
            if (claimsRetrieverImplClass != null) {
                try {
                    this.claimsRetriever = (ClaimsRetriever) Class.forName(claimsRetrieverImplClass).newInstance();
                    this.claimsRetriever.init();
                } catch (ClassNotFoundException e) {
                    log.error("Cannot find class: " + claimsRetrieverImplClass, e);
                } catch (IllegalAccessException e2) {
                    log.error("Illegal access to " + claimsRetrieverImplClass);
                } catch (InstantiationException e3) {
                    log.error("Error instantiating " + claimsRetrieverImplClass);
                } catch (IdentityOAuth2Exception e4) {
                    log.error("Error while initializing " + claimsRetrieverImplClass);
                }
            }
        }
    }

    /* JADX WARN: Multi-variable type inference failed */
    /* JADX WARN: Type inference failed for: r12v1, types: [java.lang.Throwable, org.wso2.carbon.identity.oauth.IdentityOAuthAdminException] */
    @Override // org.wso2.carbon.identity.oauth2.authcontext.AuthorizationContextTokenGenerator
    public AuthorizationContextToken generateToken(OAuth2TokenValidationRequestDTO oAuth2TokenValidationRequestDTO, OAuth2TokenValidationResponseDTO oAuth2TokenValidationResponseDTO) throws IdentityOAuth2Exception {
        SortedMap<String, String> claims;
        try {
            OAuthAppDO appInformation = new OAuthAppDAO().getAppInformation(oAuth2TokenValidationResponseDTO.getConsumerKey());
            String userName = appInformation.getUserName();
            String applicationName = appInformation.getApplicationName();
            String authorizedUser = oAuth2TokenValidationResponseDTO.getAuthorizedUser();
            long timeInMillis = Calendar.getInstance().getTimeInMillis() + (60000 * getTTL());
            StringBuilder sb = new StringBuilder();
            sb.append("{");
            sb.append("\"iss\":\"");
            sb.append(API_GATEWAY_ID);
            sb.append("\",");
            sb.append("\"exp\":");
            sb.append(String.valueOf(timeInMillis));
            sb.append(",");
            sb.append("\"");
            sb.append(API_GATEWAY_ID);
            sb.append("/subscriber\":\"");
            sb.append(userName);
            sb.append("\",");
            sb.append("\"");
            sb.append(API_GATEWAY_ID);
            sb.append("/applicationname\":\"");
            sb.append(applicationName);
            sb.append("\",");
            sb.append("\"");
            sb.append(API_GATEWAY_ID);
            sb.append("/enduser\":\"");
            sb.append(authorizedUser);
            sb.append("\"");
            if (this.claimsRetriever != null) {
                ClaimCacheKey claimCacheKey = new ClaimCacheKey(authorizedUser, oAuth2TokenValidationRequestDTO.getRequiredClaims());
                CacheEntry valueFromCache = this.claimsLocalCache.getValueFromCache((CacheKey) claimCacheKey);
                if (valueFromCache != null) {
                    claims = ((UserClaims) valueFromCache).getClaimValues();
                } else {
                    claims = this.claimsRetriever.getClaims(authorizedUser, oAuth2TokenValidationRequestDTO.getRequiredClaims());
                    this.claimsLocalCache.addToCache((CacheKey) claimCacheKey, (CacheEntry) new UserClaims(claims));
                }
                Iterator it = new TreeSet(claims.keySet()).iterator();
                while (it.hasNext()) {
                    String str = (String) it.next();
                    sb.append(", \"");
                    sb.append(str);
                    sb.append("\":\"");
                    sb.append(claims.get(str));
                    sb.append("\"");
                }
            }
            sb.append("}");
            String sb2 = sb.toString();
            String str2 = null;
            if (this.signatureAlgorithm.equals(NONE)) {
                str2 = "{\"typ\":\"JWT\"}";
            } else if (this.signatureAlgorithm.equals(SHA256_WITH_RSA)) {
                str2 = addCertToHeader(authorizedUser);
            }
            String encode = Base64Utils.encode(str2.getBytes());
            String encode2 = Base64Utils.encode(sb2.getBytes());
            if (!this.signatureAlgorithm.equals(SHA256_WITH_RSA)) {
                return new AuthorizationContextToken("JWT", encode + "." + encode2 + ".");
            }
            byte[] signJWT = signJWT(encode + "." + encode2, authorizedUser);
            if (log.isDebugEnabled()) {
                log.debug("Signed assertion value : " + new String(signJWT));
            }
            return new AuthorizationContextToken("JWT", encode + "." + encode2 + "." + Base64Utils.encode(signJWT));
        } catch (IdentityOAuthAdminException e) {
            log.error(e.getMessage(), e);
            throw new IdentityOAuth2Exception(e.getMessage());
        } catch (InvalidOAuthClientException e2) {
            log.error(e2.getMessage(), e2);
            throw new IdentityOAuth2Exception(e2.getMessage());
        }
    }

    private byte[] signJWT(String str, String str2) throws IdentityOAuth2Exception {
        try {
            String tenantDomain = MultitenantUtils.getTenantDomain(str2);
            int tenantId = getTenantId(str2);
            Key key = null;
            if (privateKeys.containsKey(Integer.valueOf(tenantId))) {
                key = privateKeys.get(Integer.valueOf(tenantId));
            } else {
                KeyStoreManager keyStoreManager = KeyStoreManager.getInstance(tenantId);
                if (tenantDomain.equals("carbon.super")) {
                    try {
                        key = keyStoreManager.getDefaultPrivateKey();
                    } catch (Exception e) {
                        log.error("Error while obtaining private key for super tenant", e);
                    }
                } else {
                    key = keyStoreManager.getPrivateKey(tenantDomain.trim().replace(".", "-") + ".jks", tenantDomain);
                }
                if (key != null) {
                    privateKeys.put(Integer.valueOf(tenantId), key);
                }
            }
            Signature signature = Signature.getInstance(this.signatureAlgorithm);
            signature.initSign((PrivateKey) key);
            signature.update(str.getBytes());
            return signature.sign();
        } catch (InvalidKeyException e2) {
            throw new IdentityOAuth2Exception("Invalid private key provided for the signature");
        } catch (NoSuchAlgorithmException e3) {
            throw new IdentityOAuth2Exception("Signature algorithm not found.");
        } catch (SignatureException e4) {
            throw new IdentityOAuth2Exception("Error in signature");
        } catch (IdentityOAuth2Exception e5) {
            throw new IdentityOAuth2Exception(e5.getMessage());
        }
    }

    private String addCertToHeader(String str) throws IdentityOAuth2Exception {
        Certificate certificate;
        try {
            String tenantDomain = MultitenantUtils.getTenantDomain(str);
            int tenantId = getTenantId(str);
            if (publicCerts.containsKey(Integer.valueOf(tenantId))) {
                certificate = publicCerts.get(Integer.valueOf(tenantId));
            } else {
                KeyStoreManager keyStoreManager = KeyStoreManager.getInstance(tenantId);
                if (tenantDomain.equals("carbon.super")) {
                    certificate = keyStoreManager.getDefaultPrimaryCertificate();
                } else {
                    certificate = keyStoreManager.getKeyStore(tenantDomain.trim().replace(".", "-") + ".jks").getCertificate(tenantDomain);
                }
                if (certificate != null) {
                    publicCerts.put(Integer.valueOf(tenantId), certificate);
                }
            }
            MessageDigest messageDigest = MessageDigest.getInstance("SHA-1");
            messageDigest.update(certificate.getEncoded());
            return "{\"typ\":\"JWT\",\"alg\":\"" + this.signatureAlgorithm + "\",\"x5t\":\"" + Base64Utils.encode(hexify(messageDigest.digest()).getBytes()) + "\"}";
        } catch (KeyStoreException e) {
            throw new IdentityOAuth2Exception("Error in obtaining tenant's keystore");
        } catch (NoSuchAlgorithmException e2) {
            throw new IdentityOAuth2Exception("Error in generating public cert thumbprint");
        } catch (CertificateEncodingException e3) {
            throw new IdentityOAuth2Exception("Error in generating public cert thumbprint");
        } catch (Exception e4) {
            throw new IdentityOAuth2Exception("Error in obtaining tenant's keystore");
        }
    }

    private long getTTL() {
        if (ttl != -1) {
            return ttl;
        }
        synchronized (JWTTokenGenerator.class) {
            if (ttl != -1) {
                return ttl;
            }
            String authorizationContextTTL = OAuthServerConfiguration.getInstance().getAuthorizationContextTTL();
            if (authorizationContextTTL != null) {
                ttl = Long.parseLong(authorizationContextTTL);
            } else {
                ttl = 15L;
            }
            return ttl;
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static int getTenantId(String str) throws IdentityOAuth2Exception {
        try {
            return OAuthComponentServiceHolder.getRealmService().getTenantManager().getTenantId(MultitenantUtils.getTenantDomain(str));
        } catch (UserStoreException e) {
            throw new IdentityOAuth2Exception("Error in obtaining tenantId from Domain");
        }
    }

    private String hexify(byte[] bArr) {
        char[] cArr = {'0', '1', '2', '3', '4', '5', '6', '7', '8', '9', 'a', 'b', 'c', 'd', 'e', 'f'};
        StringBuffer stringBuffer = new StringBuffer(bArr.length * 2);
        for (int i = 0; i < bArr.length; i++) {
            stringBuffer.append(cArr[(bArr[i] & 240) >> 4]);
            stringBuffer.append(cArr[bArr[i] & 15]);
        }
        return stringBuffer.toString();
    }
}
