package org.wso2.carbon.identity.openidconnect;

import com.nimbusds.jose.JOSEException;
import com.nimbusds.jose.JWSAlgorithm;
import com.nimbusds.jose.JWSHeader;
import com.nimbusds.jose.crypto.RSASSASigner;
import com.nimbusds.jwt.JWTClaimsSet;
import com.nimbusds.jwt.PlainJWT;
import com.nimbusds.jwt.SignedJWT;
import java.security.Key;
import java.security.KeyStoreException;
import java.security.cert.Certificate;
import java.security.cert.X509Certificate;
import java.security.interfaces.RSAPrivateKey;
import java.text.ParseException;
import java.util.Calendar;
import java.util.concurrent.ConcurrentHashMap;
import org.apache.commons.codec.binary.Base64;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.oltu.openidconnect.as.messages.IDTokenException;
import org.wso2.carbon.core.util.KeyStoreManager;
import org.wso2.carbon.identity.application.common.IdentityApplicationManagementException;
import org.wso2.carbon.identity.application.common.model.ServiceProvider;
import org.wso2.carbon.identity.application.mgt.ApplicationManagementService;
import org.wso2.carbon.identity.core.util.IdentityTenantUtil;
import org.wso2.carbon.identity.oauth.cache.AuthorizationGrantCache;
import org.wso2.carbon.identity.oauth.cache.AuthorizationGrantCacheEntry;
import org.wso2.carbon.identity.oauth.cache.AuthorizationGrantCacheKey;
import org.wso2.carbon.identity.oauth.cache.CacheEntry;
import org.wso2.carbon.identity.oauth.cache.CacheKey;
import org.wso2.carbon.identity.oauth.cache.OAuthCache;
import org.wso2.carbon.identity.oauth.cache.OAuthCacheKey;
import org.wso2.carbon.identity.oauth.config.OAuthServerConfiguration;
import org.wso2.carbon.identity.oauth2.IdentityOAuth2Exception;
import org.wso2.carbon.identity.oauth2.dao.TokenMgtDAO;
import org.wso2.carbon.identity.oauth2.dto.OAuth2AccessTokenRespDTO;
import org.wso2.carbon.identity.oauth2.internal.OAuth2ServiceComponentHolder;
import org.wso2.carbon.identity.oauth2.model.AccessTokenDO;
import org.wso2.carbon.identity.oauth2.token.OAuthTokenReqMessageContext;
import org.wso2.carbon.identity.oauth2.util.OAuth2Util;
import org.wso2.carbon.utils.multitenancy.MultitenantUtils;

/* loaded from: input_file:org/wso2/carbon/identity/openidconnect/DefaultIDTokenBuilder.class */
public class DefaultIDTokenBuilder implements IDTokenBuilder {
    private static Log log = LogFactory.getLog(DefaultIDTokenBuilder.class);
    private static ConcurrentHashMap<Integer, Key> privateKeys = new ConcurrentHashMap<>();
    private static ConcurrentHashMap<Integer, Certificate> publicCerts = new ConcurrentHashMap<>();
    private static final String NONE = "NONE";
    private static final String INBOUND_AUTH2_TYPE = "oauth2";

    @Override // org.wso2.carbon.identity.openidconnect.IDTokenBuilder
    public String buildIDToken(OAuthTokenReqMessageContext oAuthTokenReqMessageContext, OAuth2AccessTokenRespDTO oAuth2AccessTokenRespDTO) throws IdentityOAuth2Exception {
        OAuthServerConfiguration oAuthServerConfiguration = OAuthServerConfiguration.getInstance();
        String signatureAlgorithm = oAuthServerConfiguration.getSignatureAlgorithm();
        if (!signatureAlgorithm.equals(NONE)) {
            mapSignatureAlgorithm(signatureAlgorithm);
        }
        String openIDConnectIDTokenIssuerIdentifier = oAuthServerConfiguration.getOpenIDConnectIDTokenIssuerIdentifier();
        long parseInt = Integer.parseInt(oAuthServerConfiguration.getOpenIDConnectIDTokenExpiration()) * 1000;
        long timeInMillis = Calendar.getInstance().getTimeInMillis();
        String authorizedUser = oAuthTokenReqMessageContext.getAuthorizedUser();
        ApplicationManagementService applicationMgtService = OAuth2ServiceComponentHolder.getApplicationMgtService();
        String str = null;
        try {
            ServiceProvider application = applicationMgtService.getApplication(applicationMgtService.getServiceProviderNameByClientId(oAuthTokenReqMessageContext.getOauth2AccessTokenReqDTO().getClientId(), INBOUND_AUTH2_TYPE));
            if (application != null) {
                str = application.getLocalAndOutBoundAuthenticationConfig().getSubjectClaimUri();
            }
            if (str != null) {
                String authorizedUser2 = oAuthTokenReqMessageContext.getAuthorizedUser();
                try {
                    authorizedUser = IdentityTenantUtil.getRealm(MultitenantUtils.getTenantDomain(oAuthTokenReqMessageContext.getAuthorizedUser()), authorizedUser2).getUserStoreManager().getUserClaimValue(MultitenantUtils.getTenantAwareUsername(authorizedUser2), str, (String) null);
                    if (authorizedUser == null) {
                        authorizedUser = oAuthTokenReqMessageContext.getAuthorizedUser();
                    }
                } catch (Exception e) {
                    log.error("Error while generating the IDToken.", e);
                    throw new IdentityOAuth2Exception("Error while generating the IDToken", e);
                }
            }
            String str2 = null;
            if (oAuthTokenReqMessageContext.getProperty("AuthorizationCode") != null) {
                str2 = getNonce(oAuthTokenReqMessageContext);
            }
            long accessTokenIssuedTime = getAccessTokenIssuedTime(oAuth2AccessTokenRespDTO.getAccessToken(), oAuthTokenReqMessageContext);
            String str3 = new String(Base64.encodeBase64(oAuth2AccessTokenRespDTO.getAccessToken().getBytes()));
            if (log.isDebugEnabled()) {
                StringBuilder sb = new StringBuilder();
                sb.append("Using issuer " + openIDConnectIDTokenIssuerIdentifier);
                sb.append("\n");
                sb.append("Subject " + authorizedUser);
                sb.append("\n");
                sb.append("ID Token life time " + parseInt);
                sb.append("\n");
                sb.append("Current time " + timeInMillis);
                sb.append("\n");
                sb.append("Nonce Value " + str2);
                sb.append("\n");
                sb.append("Signature Algorithm " + signatureAlgorithm);
                sb.append("\n");
                log.debug(sb.toString());
            }
            org.apache.oltu.openidconnect.as.messages.IDTokenBuilder issuedAt = new org.apache.oltu.openidconnect.as.messages.IDTokenBuilder().setIssuer(openIDConnectIDTokenIssuerIdentifier).setSubject(authorizedUser).setAudience(oAuthTokenReqMessageContext.getOauth2AccessTokenReqDTO().getClientId()).setAuthorizedParty(oAuthTokenReqMessageContext.getOauth2AccessTokenReqDTO().getClientId()).setExpiration(timeInMillis + parseInt).setAuthTime(accessTokenIssuedTime).setAtHash(str3).setIssuedAt(timeInMillis);
            if (str2 != null) {
                issuedAt.setNonce(str2);
            }
            OAuthServerConfiguration.getInstance().getOpenIDConnectCustomClaimsCallbackHandler().handleCustomClaims(issuedAt, oAuthTokenReqMessageContext);
            try {
                String buildIDToken = issuedAt.buildIDToken();
                return signatureAlgorithm.equals(NONE) ? new PlainJWT((JWTClaimsSet) PlainJWT.parse(buildIDToken).getJWTClaimsSet()).serialize() : signJWT(buildIDToken, oAuthTokenReqMessageContext);
            } catch (ParseException e2) {
                log.error("Error while parsing the IDToken", e2);
                throw new IdentityOAuth2Exception("Error while parsing the IDToken", e2);
            } catch (IDTokenException e3) {
                log.error("Error while generating the IDToken", e3);
                throw new IdentityOAuth2Exception("Error while generating the IDToken", e3);
            }
        } catch (IdentityApplicationManagementException e4) {
            log.error("Error while getting service provider information.", e4);
            throw new IdentityOAuth2Exception("Error while getting service provider information.", e4);
        }
    }

    /* JADX WARN: Multi-variable type inference failed */
    /* JADX WARN: Type inference failed for: r0v50, types: [java.security.cert.Certificate] */
    protected String signJWTWithRSA(String str, JWSAlgorithm jWSAlgorithm, OAuthTokenReqMessageContext oAuthTokenReqMessageContext) throws IdentityOAuth2Exception {
        X509Certificate defaultPrimaryCertificate;
        try {
            String tenantDomain = oAuthTokenReqMessageContext.getOauth2AccessTokenReqDTO().getTenantDomain();
            int tenantID = oAuthTokenReqMessageContext.getTenantID();
            if (tenantDomain == null) {
                tenantDomain = "carbon.super";
            }
            if (tenantID == 0) {
                tenantID = OAuth2Util.getTenantId(tenantDomain);
            }
            Key key = null;
            if (privateKeys.containsKey(Integer.valueOf(tenantID))) {
                key = privateKeys.get(Integer.valueOf(tenantID));
            } else {
                KeyStoreManager keyStoreManager = KeyStoreManager.getInstance(tenantID);
                if (tenantDomain.equals("carbon.super")) {
                    try {
                        key = keyStoreManager.getDefaultPrivateKey();
                    } catch (Exception e) {
                        log.error("Error while obtaining private key for super tenant", e);
                    }
                } else {
                    key = keyStoreManager.getPrivateKey(tenantDomain.trim().replace(".", "-") + ".jks", tenantDomain);
                }
                if (key != null) {
                    privateKeys.put(Integer.valueOf(tenantID), key);
                }
            }
            if (publicCerts.containsKey(Integer.valueOf(tenantID))) {
                publicCerts.get(Integer.valueOf(tenantID));
            } else {
                KeyStoreManager keyStoreManager2 = KeyStoreManager.getInstance(tenantID);
                if (tenantDomain.equals("carbon.super")) {
                    defaultPrimaryCertificate = keyStoreManager2.getDefaultPrimaryCertificate();
                } else {
                    defaultPrimaryCertificate = keyStoreManager2.getKeyStore(tenantDomain.trim().replace(".", "-") + ".jks").getCertificate(tenantDomain);
                }
                if (defaultPrimaryCertificate != null) {
                    publicCerts.put(Integer.valueOf(tenantID), defaultPrimaryCertificate);
                }
            }
            RSASSASigner rSASSASigner = new RSASSASigner((RSAPrivateKey) key);
            SignedJWT signedJWT = new SignedJWT(new JWSHeader(jWSAlgorithm), PlainJWT.parse(str).getJWTClaimsSet());
            signedJWT.sign(rSASSASigner);
            return signedJWT.serialize();
        } catch (JOSEException e2) {
            log.error("Error in obtaining tenant's keystore", e2);
            throw new IdentityOAuth2Exception("Error in obtaining tenant's keystore", e2);
        } catch (KeyStoreException e3) {
            log.error("Error in obtaining tenant's keystore", e3);
            throw new IdentityOAuth2Exception("Error in obtaining tenant's keystore", e3);
        } catch (Exception e4) {
            log.error("Error in obtaining tenant's keystore", e4);
            throw new IdentityOAuth2Exception("Error in obtaining tenant's keystore", e4);
        }
    }

    private String getNonce(OAuthTokenReqMessageContext oAuthTokenReqMessageContext) {
        return ((AuthorizationGrantCacheEntry) AuthorizationGrantCache.getInstance().getValueFromCache((CacheKey) new AuthorizationGrantCacheKey((String) oAuthTokenReqMessageContext.getProperty("AuthorizationCode")))).getNonceValue();
    }

    private long getAccessTokenIssuedTime(String str, OAuthTokenReqMessageContext oAuthTokenReqMessageContext) throws IdentityOAuth2Exception {
        AccessTokenDO accessTokenDO = null;
        TokenMgtDAO tokenMgtDAO = new TokenMgtDAO();
        CacheEntry valueFromCache = OAuthCache.getInstance().getValueFromCache((CacheKey) new OAuthCacheKey(oAuthTokenReqMessageContext.getOauth2AccessTokenReqDTO().getClientId() + ":" + oAuthTokenReqMessageContext.getAuthorizedUser().toLowerCase() + ":" + OAuth2Util.buildScopeString(oAuthTokenReqMessageContext.getScope())));
        if (valueFromCache instanceof AccessTokenDO) {
            accessTokenDO = (AccessTokenDO) valueFromCache;
        }
        if (accessTokenDO == null) {
            accessTokenDO = tokenMgtDAO.retrieveAccessToken(str, false);
        }
        if (accessTokenDO != null) {
            return accessTokenDO.getIssuedTime().getTime();
        }
        log.error("Error occurred while getting access token based information");
        throw new IdentityOAuth2Exception("Error occurred while getting access token based information");
    }

    protected String signJWT(String str, OAuthTokenReqMessageContext oAuthTokenReqMessageContext) throws IdentityOAuth2Exception {
        JWSAlgorithm mapSignatureAlgorithm = mapSignatureAlgorithm(OAuthServerConfiguration.getInstance().getSignatureAlgorithm());
        if (JWSAlgorithm.RS256.equals(mapSignatureAlgorithm) || JWSAlgorithm.RS384.equals(mapSignatureAlgorithm) || JWSAlgorithm.RS512.equals(mapSignatureAlgorithm)) {
            return signJWTWithRSA(str, mapSignatureAlgorithm, oAuthTokenReqMessageContext);
        }
        if (JWSAlgorithm.HS256.equals(mapSignatureAlgorithm) || JWSAlgorithm.HS384.equals(mapSignatureAlgorithm) || JWSAlgorithm.HS512.equals(mapSignatureAlgorithm) || JWSAlgorithm.ES256.equals(mapSignatureAlgorithm) || JWSAlgorithm.ES384.equals(mapSignatureAlgorithm) || JWSAlgorithm.ES512.equals(mapSignatureAlgorithm)) {
        }
        log.error("UnSupported Signature Algorithm");
        throw new IdentityOAuth2Exception("UnSupported Signature Algorithm");
    }

    protected JWSAlgorithm mapSignatureAlgorithm(String str) throws IdentityOAuth2Exception {
        if ("SHA256withRSA".equals(str)) {
            return JWSAlgorithm.RS256;
        }
        if ("SHA384withRSA".equals(str)) {
            return JWSAlgorithm.RS384;
        }
        if ("SHA512withRSA".equals(str)) {
            return JWSAlgorithm.RS512;
        }
        if ("SHA256withHMAC".equals(str)) {
            return JWSAlgorithm.HS256;
        }
        if ("SHA384withHMAC".equals(str)) {
            return JWSAlgorithm.HS384;
        }
        if ("SHA512withHMAC".equals(str)) {
            return JWSAlgorithm.HS512;
        }
        if ("SHA256withEC".equals(str)) {
            return JWSAlgorithm.ES256;
        }
        if ("SHA384withEC".equals(str)) {
            return JWSAlgorithm.ES384;
        }
        if ("SHA512withEC".equals(str)) {
            return JWSAlgorithm.ES512;
        }
        log.error("Unsupported Signature Algorithm in identity.xml");
        throw new IdentityOAuth2Exception("Unsupported Signature Algorithm in identity.xml");
    }
}
