package com.authlete.jose.tool;

import com.nimbusds.jose.Algorithm;
import com.nimbusds.jose.JOSEException;
import com.nimbusds.jose.JWSAlgorithm;
import com.nimbusds.jose.JWSHeader;
import com.nimbusds.jose.JWSObject;
import com.nimbusds.jose.JWSSigner;
import com.nimbusds.jose.Payload;
import com.nimbusds.jose.crypto.ECDSASigner;
import com.nimbusds.jose.crypto.MACSigner;
import com.nimbusds.jose.crypto.RSASSASigner;
import com.nimbusds.jose.crypto.bc.BouncyCastleProviderSingleton;
import com.nimbusds.jose.jwk.ECKey;
import com.nimbusds.jose.jwk.JWK;
import com.nimbusds.jose.jwk.JWKMatcher;
import com.nimbusds.jose.jwk.JWKSelector;
import com.nimbusds.jose.jwk.JWKSet;
import com.nimbusds.jose.jwk.KeyType;
import com.nimbusds.jose.jwk.OctetSequenceKey;
import com.nimbusds.jose.jwk.RSAKey;
import com.nimbusds.jose.util.Base64URL;
import com.nimbusds.jose.util.StandardCharset;
import java.io.File;
import java.io.IOException;
import java.io.InputStream;
import java.io.PrintStream;
import java.net.URI;
import java.security.Security;
import java.text.ParseException;
import java.util.Iterator;
import java.util.List;
import org.apache.commons.io.FileUtils;
import org.apache.commons.io.IOUtils;

/* loaded from: input_file:com/authlete/jose/tool/JoseGenerator.class */
public class JoseGenerator {
    private static final String UNSECURED_JWS_HEADER = "eyJhbGciOiJub25lIn0";
    private InputStream mStandardInput;
    private PrintStream mStandardOutput;
    private PrintStream mStandardError;
    private JWSHeader mJwsHeader;
    private String mJwsHeaderOption;
    private JWKSet mJwksFromJwksFile;
    private JWKSet mJwksFromJwksUri;
    private JWKSet mJwksFromJwksEncryptingFile;
    private JWKSet mJwksFromJwksEncryptingUri;

    private static void initialize() {
        Security.addProvider(BouncyCastleProviderSingleton.getInstance());
    }

    public static void main(String[] strArr) {
        try {
            new JoseGenerator().useDefaultStandardIO().execute(strArr);
        } catch (Exception e) {
            e.printStackTrace(System.err);
            System.err.println("Failed. Try '--verbose' option for detailed reporting.");
            System.exit(1);
        }
    }

    public JoseGenerator reset() {
        this.mStandardInput = null;
        this.mStandardOutput = null;
        this.mStandardError = null;
        this.mJwsHeader = null;
        this.mJwsHeaderOption = null;
        this.mJwksFromJwksFile = null;
        this.mJwksFromJwksUri = null;
        this.mJwksFromJwksEncryptingFile = null;
        this.mJwksFromJwksEncryptingUri = null;
        return this;
    }

    public JoseGenerator useDefaultStandardIO() {
        this.mStandardInput = System.in;
        this.mStandardOutput = System.out;
        this.mStandardError = System.err;
        return this;
    }

    public InputStream getStandardInput() {
        return this.mStandardInput;
    }

    public JoseGenerator setStandardInput(InputStream inputStream) {
        this.mStandardInput = inputStream;
        return this;
    }

    public PrintStream getStandardOutput() {
        return this.mStandardOutput;
    }

    public JoseGenerator setStandardOutput(PrintStream printStream) {
        this.mStandardOutput = printStream;
        return this;
    }

    public PrintStream getStandardError() {
        return this.mStandardError;
    }

    public JoseGenerator setStandardError(PrintStream printStream) {
        this.mStandardError = printStream;
        return this;
    }

    public String execute(String[] strArr) throws IOException, ParseException, JOSEException {
        JoseGeneratorOptions parse = new JoseGeneratorOptionsParser().parse(strArr);
        verbose(parse, "Reading the payload.", new Object[0]);
        byte[] readPayload = readPayload(parse);
        verbose(parse, "Wrapping the payload.", new Object[0]);
        String wrapPayload = wrapPayload(parse, readPayload);
        verbose(parse, "Writing the result: %s", wrapPayload);
        output(parse, wrapPayload);
        verbose(parse, "Done.", new Object[0]);
        return wrapPayload;
    }

    private byte[] readPayload(JoseGeneratorOptions joseGeneratorOptions) throws IOException {
        if (joseGeneratorOptions.payload != null) {
            verbose(joseGeneratorOptions, "Using the value specified by the '--payload' option as the value of the payload.", new Object[0]);
            return joseGeneratorOptions.payload.getBytes(StandardCharset.UTF_8);
        }
        if (joseGeneratorOptions.payloadBase64Url != null) {
            verbose(joseGeneratorOptions, "Using the value specified by the '--payload-base64url' option as the value of the payload.", new Object[0]);
            return joseGeneratorOptions.payloadBase64Url;
        }
        if (joseGeneratorOptions.payloadFile != null) {
            verbose(joseGeneratorOptions, "Using the content of the file specified by the '--payload-file' option as the value of the payload.", new Object[0]);
            return FileUtils.readFileToByteArray(joseGeneratorOptions.payloadFile);
        }
        if (joseGeneratorOptions.payloadUri != null) {
            verbose(joseGeneratorOptions, "Using the content pointed to by the '--payload-uri' option as the value of the payload.", new Object[0]);
            return IOUtils.toByteArray(joseGeneratorOptions.payloadUri);
        }
        InputStream standardInput = getStandardInput();
        if (standardInput == null) {
            throw fatal(null, "The standard input is not available, so the payload data cannot be read.", new Object[0]);
        }
        verbose(joseGeneratorOptions, "Reading the standard input as the value of the payload.", new Object[0]);
        return IOUtils.toByteArray(standardInput);
    }

    private String wrapPayload(JoseGeneratorOptions joseGeneratorOptions, byte[] bArr) throws IOException, ParseException, JOSEException {
        String unsecure;
        if (joseGeneratorOptions.sign) {
            if (joseGeneratorOptions.encrypt) {
                unsecure = signAndEncrypt(joseGeneratorOptions, bArr);
            } else {
                verbose(joseGeneratorOptions, "Generating a JWS. Encrypting is not performed because the '--encrypt' option was not given.", new Object[0]);
                unsecure = sign(joseGeneratorOptions, bArr);
                verbose(joseGeneratorOptions, "The genrated JWS is %s", unsecure);
            }
        } else if (joseGeneratorOptions.encrypt) {
            verbose(joseGeneratorOptions, "Generating a JWE. Signing is not performed because the '--sign' option was not given.", new Object[0]);
            unsecure = encrypt(joseGeneratorOptions, bArr);
            verbose(joseGeneratorOptions, "The generated JWE is %s", unsecure);
        } else {
            verbose(joseGeneratorOptions, "Generating an unsecured JWS because neither the '--sign' option nor the '--encrypt' option was given.", new Object[0]);
            unsecure = unsecure(joseGeneratorOptions, bArr);
            verbose(joseGeneratorOptions, "The generated unsecured JWS is %s", unsecure);
        }
        return unsecure;
    }

    private void output(JoseGeneratorOptions joseGeneratorOptions, String str) throws IOException {
        if (joseGeneratorOptions.outputFile != null) {
            verbose(joseGeneratorOptions, "Writing the result to the file '%s'.", joseGeneratorOptions.outputFile);
            FileUtils.write(joseGeneratorOptions.outputFile, str, StandardCharset.UTF_8);
            return;
        }
        PrintStream standardOutput = getStandardOutput();
        if (standardOutput == null) {
            verbose(joseGeneratorOptions, "The standard output is not available, so the output is not written.", new Object[0]);
            return;
        }
        verbose(joseGeneratorOptions, "Writing the result to the standard output.", new Object[0]);
        IOUtils.write(str, standardOutput, StandardCharset.UTF_8);
        standardOutput.flush();
    }

    private String signAndEncrypt(JoseGeneratorOptions joseGeneratorOptions, byte[] bArr) throws IOException, ParseException, JOSEException {
        if (joseGeneratorOptions.encryptThenSign) {
            verbose(joseGeneratorOptions, "Generating a JWS which wraps a JWE.", new Object[0]);
            String encrypt = encrypt(joseGeneratorOptions, bArr);
            byte[] bytes = encrypt.getBytes(StandardCharset.UTF_8);
            verbose(joseGeneratorOptions, "The generated JWE that will be wrapped is %s", encrypt);
            String sign = sign(joseGeneratorOptions, bytes);
            verbose(joseGeneratorOptions, "The generated JWS that wraps the JWE is %s", sign);
            return sign;
        }
        verbose(joseGeneratorOptions, "Generating a JWE which wraps a JWS.", new Object[0]);
        String sign2 = sign(joseGeneratorOptions, bArr);
        byte[] bytes2 = sign2.getBytes(StandardCharset.UTF_8);
        verbose(joseGeneratorOptions, "The genrated JWS that will be wrapped is %s", sign2);
        String encrypt2 = encrypt(joseGeneratorOptions, bytes2);
        verbose(joseGeneratorOptions, "The generated JWE that wraps the JWS is %s", encrypt2);
        return encrypt2;
    }

    private String sign(JoseGeneratorOptions joseGeneratorOptions, byte[] bArr) throws IOException, ParseException, JOSEException {
        String signUsingKeyOrKeyFileOrKeyUri;
        verbose(joseGeneratorOptions, "Signing.", new Object[0]);
        processJwsHeaderOption(joseGeneratorOptions);
        JWSAlgorithm signingAlg = getSigningAlg(joseGeneratorOptions, this.mJwsHeader, this.mJwsHeaderOption);
        if (signingAlg != null && signingAlg.getName().equals("none")) {
            verbose(joseGeneratorOptions, "Creating an unsecured JWS because 'none' is specified " + (joseGeneratorOptions.signingAlg != null ? "by the '--signing-alg' option." : "by the 'alg' parameter in the JWS header specified by the " + this.mJwsHeaderOption + " option"), new Object[0]);
            return unsecure(joseGeneratorOptions, bArr);
        }
        if (signingAlg != null && signingAlg.getName().startsWith("HS") && (signUsingKeyOrKeyFileOrKeyUri = signUsingKeyOrKeyFileOrKeyUri(joseGeneratorOptions, bArr, signingAlg)) != null) {
            return signUsingKeyOrKeyFileOrKeyUri;
        }
        String signUsingJwkSigningAlg = signUsingJwkSigningAlg(joseGeneratorOptions, bArr);
        if (signUsingJwkSigningAlg != null) {
            return signUsingJwkSigningAlg;
        }
        String signUsingJWKSetOrJWKSetFileOrJWKSetUri = signUsingJWKSetOrJWKSetFileOrJWKSetUri(joseGeneratorOptions, bArr, joseGeneratorOptions.jwksSigningAlg, "--jwks-signing-alg", joseGeneratorOptions.jwksSigningAlgFile, "--jwks-signing-alg-file", null, null, joseGeneratorOptions.jwksSigningAlgUri, "--jwks-signing-alg-uri", null, null);
        if (signUsingJWKSetOrJWKSetFileOrJWKSetUri != null) {
            return signUsingJWKSetOrJWKSetFileOrJWKSetUri;
        }
        String signUsingJWKSetOrJWKSetFileOrJWKSetUri2 = signUsingJWKSetOrJWKSetFileOrJWKSetUri(joseGeneratorOptions, bArr, joseGeneratorOptions.jwksSigning, "--jwks-signing", joseGeneratorOptions.jwksSigningFile, "--jwks-signing-file", null, null, joseGeneratorOptions.jwksSigningUri, "--jwks-signing-uri", null, null);
        if (signUsingJWKSetOrJWKSetFileOrJWKSetUri2 != null) {
            return signUsingJWKSetOrJWKSetFileOrJWKSetUri2;
        }
        JWKSet[] jWKSetArr = new JWKSet[1];
        JWKSet[] jWKSetArr2 = new JWKSet[1];
        String signUsingJWKSetOrJWKSetFileOrJWKSetUri3 = signUsingJWKSetOrJWKSetFileOrJWKSetUri(joseGeneratorOptions, bArr, joseGeneratorOptions.jwks, "--jwks", joseGeneratorOptions.jwksFile, "--jwks-file", this.mJwksFromJwksFile, jWKSetArr, joseGeneratorOptions.jwksUri, "--jwks-uri", this.mJwksFromJwksUri, jWKSetArr2);
        if (jWKSetArr[0] != null) {
            this.mJwksFromJwksFile = jWKSetArr[0];
        }
        if (jWKSetArr2[0] != null) {
            this.mJwksFromJwksUri = jWKSetArr2[0];
        }
        if (signUsingJWKSetOrJWKSetFileOrJWKSetUri3 != null) {
            return signUsingJWKSetOrJWKSetFileOrJWKSetUri3;
        }
        throw fatal(null, "Key for signing is not available. Use '--jwk-signing-alg[-*] option or '--jwks[-signing[-alg]][-file|-uri]' option. In addtion, if the signing algorithm is symmetric (HS256/HS384/HS512), '--signing-alg-key[-*]' options can be used.", new Object[0]);
    }

    private void processJwsHeaderOption(JoseGeneratorOptions joseGeneratorOptions) throws IOException, ParseException {
        if (joseGeneratorOptions.jwsHeader != null) {
            this.mJwsHeader = joseGeneratorOptions.jwsHeader;
            this.mJwsHeaderOption = "--jws-header";
        } else if (joseGeneratorOptions.jwsHeaderBase64Url != null) {
            this.mJwsHeader = joseGeneratorOptions.jwsHeaderBase64Url;
            this.mJwsHeaderOption = "--jws-header-base64url";
        } else if (joseGeneratorOptions.jwsHeaderFile != null) {
            this.mJwsHeader = readJWSHeader(joseGeneratorOptions, joseGeneratorOptions.jwsHeaderFile, "--jws-header-file");
            this.mJwsHeaderOption = "--jws-header-file";
        } else {
            if (joseGeneratorOptions.jwsHeaderUri == null) {
                return;
            }
            this.mJwsHeader = fetchJWSHeader(joseGeneratorOptions, joseGeneratorOptions.jwsHeaderUri, "--jws-header-uri");
            this.mJwsHeaderOption = "--jws-header-uri";
        }
        verbose(joseGeneratorOptions, "Using the JWS header specified by the '%s' option.", this.mJwsHeaderOption);
        verbose(joseGeneratorOptions, "The value of the specified JWS header is %s", this.mJwsHeader);
    }

    private JWSHeader readJWSHeader(JoseGeneratorOptions joseGeneratorOptions, File file, String str) throws IOException, ParseException {
        verbose(joseGeneratorOptions, "Reading the JWS header pointed to by the '%s' option. (%s)", str, file);
        String readFileToString = FileUtils.readFileToString(file, StandardCharset.UTF_8);
        verbose(joseGeneratorOptions, "Converting the content of the file (%s) into a JWS header.", file);
        return JWSHeader.parse(readFileToString);
    }

    private JWSHeader fetchJWSHeader(JoseGeneratorOptions joseGeneratorOptions, URI uri, String str) throws IOException, ParseException {
        verbose(joseGeneratorOptions, "Fetching the JWS header pointed to by the '%s' option. (%s)", str, uri);
        String iOUtils = IOUtils.toString(uri, StandardCharset.UTF_8);
        verbose(joseGeneratorOptions, "Converting the content of the URI (%s) into a JWS header.", uri);
        return JWSHeader.parse(iOUtils);
    }

    private JWSAlgorithm getSigningAlg(JoseGeneratorOptions joseGeneratorOptions, JWSHeader jWSHeader, String str) {
        JWSAlgorithm jWSAlgorithm = joseGeneratorOptions.signingAlg;
        JWSAlgorithm algorithm = jWSHeader == null ? null : jWSHeader.getAlgorithm();
        if (jWSAlgorithm == null) {
            return algorithm;
        }
        if (algorithm != null && !jWSAlgorithm.getName().equals(algorithm.getName())) {
            throw fatal(null, "The signing algorithm specified by the '--signing-alg' option (%s) and the algorithm in the JWS header specified by the '%s' option (%s) do not match.", jWSAlgorithm.getName(), str, algorithm.getName());
        }
        return jWSAlgorithm;
    }

    private String signUsingKeyOrKeyFileOrKeyUri(JoseGeneratorOptions joseGeneratorOptions, byte[] bArr, JWSAlgorithm jWSAlgorithm) throws IOException, JOSEException {
        byte[] determineKeyFromSigningAlgKeyOptions = determineKeyFromSigningAlgKeyOptions(joseGeneratorOptions);
        if (determineKeyFromSigningAlgKeyOptions == null) {
            return null;
        }
        JWSObject createJwsObject = createJwsObject(jWSAlgorithm, null, bArr);
        createJwsObject.sign(new MACSigner(determineKeyFromSigningAlgKeyOptions));
        return createJwsObject.serialize();
    }

    private byte[] determineKeyFromSigningAlgKeyOptions(JoseGeneratorOptions joseGeneratorOptions) throws IOException {
        if (joseGeneratorOptions.signingAlgKey != null) {
            verbose(joseGeneratorOptions, "Using the key specified by the '--signing-alg-key' option for signing.", new Object[0]);
            return joseGeneratorOptions.signingAlgKey.getBytes(StandardCharset.UTF_8);
        }
        if (joseGeneratorOptions.signingAlgKeyBase64Url != null) {
            verbose(joseGeneratorOptions, "Using the key specified by the '--signing-alg-key-base64url' option for signing.", new Object[0]);
            return joseGeneratorOptions.signingAlgKeyBase64Url;
        }
        if (joseGeneratorOptions.signingAlgKeyFile != null) {
            verbose(joseGeneratorOptions, "Using the key specified by the '--signing-alg-key-file' option for signing.", new Object[0]);
            return FileUtils.readFileToByteArray(joseGeneratorOptions.signingAlgKeyFile);
        }
        if (joseGeneratorOptions.signingAlgKeyUri == null) {
            return null;
        }
        verbose(joseGeneratorOptions, "Using the key specified by the '--signing-alg-key-uri' option for signing.", new Object[0]);
        return IOUtils.toByteArray(joseGeneratorOptions.signingAlgKeyUri);
    }

    private String signUsingJwkSigningAlg(JoseGeneratorOptions joseGeneratorOptions, byte[] bArr) throws JOSEException, IOException, ParseException {
        if (joseGeneratorOptions.jwkSigningAlg != null) {
            verbose(joseGeneratorOptions, "Signing using the JWK specified by the '--jwk-signing-alg' option.", new Object[0]);
            return signUsingJWK(joseGeneratorOptions, bArr, joseGeneratorOptions.jwkSigningAlg);
        }
        if (joseGeneratorOptions.jwkSigningAlgFile != null) {
            JWK readJWK = readJWK(joseGeneratorOptions, joseGeneratorOptions.jwkSigningAlgFile, "--jwk-signing-alg-file");
            verbose(joseGeneratorOptions, "Signing using the JWK specified by the '--jwk-signing-alg-file' option.", new Object[0]);
            return signUsingJWK(joseGeneratorOptions, bArr, readJWK);
        }
        if (joseGeneratorOptions.jwkSigningAlgUri == null) {
            return null;
        }
        JWK fetchJWK = fetchJWK(joseGeneratorOptions, joseGeneratorOptions.jwkSigningAlgUri, "--jwk-signing-alg-uri");
        verbose(joseGeneratorOptions, "Signing using the JWK specified by the '--jwk-signing-alg-uri' option.", new Object[0]);
        return signUsingJWK(joseGeneratorOptions, bArr, fetchJWK);
    }

    private String signUsingJWK(JoseGeneratorOptions joseGeneratorOptions, byte[] bArr, JWK jwk) throws JOSEException {
        verbose(joseGeneratorOptions, "Signing with a JWK.", new Object[0]);
        checkKidForSigning(joseGeneratorOptions, jwk);
        checkAlgForSigning(joseGeneratorOptions, jwk);
        JWSAlgorithm determineAlgForSigning = determineAlgForSigning(joseGeneratorOptions, jwk);
        KeyType keyType = jwk.getKeyType();
        if (!Support.isSupportedJwkKty(keyType)) {
            throw fatal(null, "The 'kty' (%s) in the JWK is not supported.", keyType);
        }
        JWSObject createJwsObject = createJwsObject(determineAlgForSigning, jwk.getKeyID(), bArr);
        createJwsObject.sign(createSigner(joseGeneratorOptions, keyType, jwk));
        return createJwsObject.serialize();
    }

    private JWK readJWK(JoseGeneratorOptions joseGeneratorOptions, File file, String str) throws IOException, ParseException {
        verbose(joseGeneratorOptions, "Reading the JWK pointed to by the '%s' option. (%s)", str, file);
        String readFileToString = FileUtils.readFileToString(file, StandardCharset.UTF_8);
        verbose(joseGeneratorOptions, "Converting the content of the file (%s) into a JWK.", file);
        return JWK.parse(readFileToString);
    }

    private JWK fetchJWK(JoseGeneratorOptions joseGeneratorOptions, URI uri, String str) throws IOException, ParseException {
        verbose(joseGeneratorOptions, "Fetching the JWK pointed to by the '%s' option. (%s)", str, uri);
        String iOUtils = IOUtils.toString(uri, StandardCharset.UTF_8);
        verbose(joseGeneratorOptions, "Converting the content of the URI (%s) into a JWK.", uri);
        return JWK.parse(iOUtils);
    }

    private void checkKidForSigning(JoseGeneratorOptions joseGeneratorOptions, JWK jwk) {
        String str = joseGeneratorOptions.signingAlgKid;
        String keyID = this.mJwsHeader == null ? null : this.mJwsHeader.getKeyID();
        Object keyID2 = jwk.getKeyID();
        if (str == null) {
            if (keyID != null && keyID2 != null && !keyID.equals(keyID2)) {
                throw fatal(null, "The key ID (%s) in the JWS header specified by the '%s' option and the key ID (%s) in the JWK are different.", keyID, this.mJwsHeaderOption, keyID2);
            }
            return;
        }
        if (keyID == null) {
            if (keyID2 != null && !str.equals(keyID2)) {
                throw fatal(null, "The key ID (%s) specified by the '--signing-alg-kid' option and the key ID (%s) in the JWK are different.", str, keyID2);
            }
        } else {
            if (!str.equals(keyID)) {
                throw fatal(null, "The key ID (%s) specified by the '--signing-alg-kid' option and the key ID (%s) in the JWS header specified by the '%s' option are different.", str, keyID, this.mJwsHeaderOption);
            }
            if (keyID2 != null) {
                throw fatal(null, "The key ID (%s) specified by the '--signing-alg-kid' option and the key ID (%s) in the JWK are different.", str, keyID2);
            }
        }
    }

    private void checkAlgForSigning(JoseGeneratorOptions joseGeneratorOptions, JWK jwk) {
        String name = joseGeneratorOptions.signingAlg == null ? null : joseGeneratorOptions.signingAlg.getName();
        String name2 = (this.mJwsHeader == null || this.mJwsHeader.getAlgorithm() == null) ? null : this.mJwsHeader.getAlgorithm().getName();
        Object name3 = jwk.getAlgorithm() == null ? null : jwk.getAlgorithm().getName();
        if (name == null) {
            if (name2 != null && name3 != null && !name2.equals(name3)) {
                throw fatal(null, "The algorithm (%s) in the JWS header specified by the '%s' option and the algorithm (%s) in the JWK are different.", name2, this.mJwsHeaderOption, name3);
            }
            return;
        }
        if (name2 == null) {
            if (name3 != null && !name.equals(name3)) {
                throw fatal(null, "The algorithm (%s) specified by the '--signing-alg' option and the algorithm (%s) in the JWK are different.", name, name3);
            }
        } else {
            if (!name.equals(name2)) {
                throw fatal(null, "The algorithm (%s) specified by the '--signing-alg' option and the algorithm (%s) in the JWS header specified by the '%s' option are different.", name, name2, this.mJwsHeaderOption);
            }
            if (name3 != null) {
                throw fatal(null, "The algorithm (%s) specified by the '--signing-alg' option and the algorithm (%s) in the JWK are different.", name, name3);
            }
        }
    }

    private JWSAlgorithm determineAlgForSigning(JoseGeneratorOptions joseGeneratorOptions, JWK jwk) {
        JWSAlgorithm algorithm;
        if (joseGeneratorOptions.signingAlg != null) {
            return joseGeneratorOptions.signingAlg;
        }
        if (this.mJwsHeader != null && (algorithm = this.mJwsHeader.getAlgorithm()) != null) {
            if (Support.isSupportedJwsAlg(algorithm)) {
                return algorithm;
            }
            throw fatal(null, "The value (%s) of the 'alg' parameter in the JWS header specified by the '%s' option is not supported.", algorithm.getName(), this.mJwsHeaderOption);
        }
        Algorithm algorithm2 = jwk.getAlgorithm();
        if (algorithm2 == null) {
            throw fatal(null, "The JWK does not have 'alg', so the algorithm for signing must be specified explicitly by the '--signing-alg' option or by the 'alg' parameter in the JWS header specified by one of the '--jws-header[-*]' options.", new Object[0]);
        }
        JWSAlgorithm parse = JWSAlgorithm.parse(algorithm2.getName());
        if (Support.isSupportedJwsAlg(parse)) {
            return parse;
        }
        throw fatal(null, "The value (%s) of the 'alg' parameter in the JWK is not supported.", algorithm2.getName());
    }

    private String signUsingJWKSetOrJWKSetFileOrJWKSetUri(JoseGeneratorOptions joseGeneratorOptions, byte[] bArr, JWKSet jWKSet, String str, File file, String str2, JWKSet jWKSet2, JWKSet[] jWKSetArr, URI uri, String str3, JWKSet jWKSet3, JWKSet[] jWKSetArr2) throws IOException, ParseException, JOSEException {
        if (jWKSet != null) {
            return signUsingJWKSet(joseGeneratorOptions, bArr, jWKSet, str);
        }
        if (file != null) {
            if (jWKSet2 != null) {
                return signUsingJWKSet(joseGeneratorOptions, bArr, jWKSet2, str2);
            }
            JWKSet readJWKSet = readJWKSet(joseGeneratorOptions, file, str2);
            if (jWKSetArr != null) {
                jWKSetArr[0] = readJWKSet;
            }
            return signUsingJWKSet(joseGeneratorOptions, bArr, readJWKSet, str2);
        }
        if (uri == null) {
            return null;
        }
        if (jWKSet3 != null) {
            return signUsingJWKSet(joseGeneratorOptions, bArr, jWKSet3, str3);
        }
        JWKSet fetchJWKSet = fetchJWKSet(joseGeneratorOptions, uri, str3);
        if (jWKSetArr2 != null) {
            jWKSetArr2[0] = fetchJWKSet;
        }
        return signUsingJWKSet(joseGeneratorOptions, bArr, fetchJWKSet, str3);
    }

    private JWSSigner createSigner(JoseGeneratorOptions joseGeneratorOptions, KeyType keyType, JWK jwk) throws JOSEException {
        verbose(joseGeneratorOptions, "Creating a signer for the key type (%s).", keyType);
        if (keyType == KeyType.EC) {
            return new ECDSASigner((ECKey) jwk);
        }
        if (keyType == KeyType.OCT) {
            return new MACSigner((OctetSequenceKey) jwk);
        }
        if (keyType == KeyType.RSA) {
            return new RSASSASigner((RSAKey) jwk);
        }
        throw fatal(null, "Cannot create a signer for the key type (%s).", keyType);
    }

    private String signUsingJWKSet(JoseGeneratorOptions joseGeneratorOptions, byte[] bArr, JWKSet jWKSet, String str) throws JOSEException {
        verbose(joseGeneratorOptions, "Signing using the JWK Set document specified by the '%s' option.", str);
        List<JWK> keys = jWKSet.getKeys();
        if (keys == null || keys.size() == 0) {
            throw fatal(null, "The JWK Set document specified by the '%s' option does not contain keys.", str);
        }
        if (keys.size() == 1) {
            verbose(joseGeneratorOptions, "The number of keys in the JWK Set document is 1, so the JWK is used for signing.", new Object[0]);
            return signUsingJWK(joseGeneratorOptions, bArr, keys.get(0));
        }
        String signUsingJWKSetByKid = signUsingJWKSetByKid(joseGeneratorOptions, bArr, keys);
        if (signUsingJWKSetByKid != null) {
            return signUsingJWKSetByKid;
        }
        JWSAlgorithm determineSigningAlg = determineSigningAlg(joseGeneratorOptions, keys);
        String signUsingJWKSetByAlg = signUsingJWKSetByAlg(joseGeneratorOptions, bArr, keys, determineSigningAlg);
        if (signUsingJWKSetByAlg != null) {
            return signUsingJWKSetByAlg;
        }
        String signUsingJWKSetByKty = signUsingJWKSetByKty(joseGeneratorOptions, bArr, jWKSet, determineSigningAlg);
        if (signUsingJWKSetByKty != null) {
            return signUsingJWKSetByKty;
        }
        throw fatal(null, "Could not find any appropriate JWK for the algorithm (%s) for signing.", determineSigningAlg.getName());
    }

    private JWKSet readJWKSet(JoseGeneratorOptions joseGeneratorOptions, File file, String str) throws IOException, ParseException {
        verbose(joseGeneratorOptions, "Reading the JWK Set document pointed to by the '%s' option. (%s)", str, file);
        return JWKSet.load(file);
    }

    private JWKSet fetchJWKSet(JoseGeneratorOptions joseGeneratorOptions, URI uri, String str) throws IOException, ParseException {
        verbose(joseGeneratorOptions, "Fetching the JWK Set document pointed to by the '%s' option. (%s)", str, uri);
        return JWKSet.load(uri.toURL(), joseGeneratorOptions.connectTimeout, joseGeneratorOptions.readTimeout, 0);
    }

    private String signUsingJWKSetByKid(JoseGeneratorOptions joseGeneratorOptions, byte[] bArr, List<JWK> list) throws JOSEException {
        String keyID = joseGeneratorOptions.signingAlgKid != null ? joseGeneratorOptions.signingAlgKid : this.mJwsHeader != null ? this.mJwsHeader.getKeyID() : null;
        if (keyID == null) {
            return null;
        }
        return signUsingJWK(joseGeneratorOptions, bArr, findJwkByKid(joseGeneratorOptions, list, keyID));
    }

    private JWSAlgorithm determineSigningAlg(JoseGeneratorOptions joseGeneratorOptions, List<JWK> list) {
        JWSAlgorithm algorithm = joseGeneratorOptions.signingAlg != null ? joseGeneratorOptions.signingAlg : this.mJwsHeader != null ? this.mJwsHeader.getAlgorithm() : null;
        if (algorithm != null) {
            return algorithm;
        }
        if (!haveSameAlgorithm(list)) {
            throw fatal(null, "The algorithm for signing must be specified by the '--signing-alg' option or other means", new Object[0]);
        }
        JWSAlgorithm parse = JWSAlgorithm.parse(list.get(0).getAlgorithm().getName());
        verbose(joseGeneratorOptions, "Using %s as the algorithm for signing because all the JWKs in the JWK Set document have the same algorithm.", parse.getName());
        if (Support.isSupportedJwsAlg(parse)) {
            return parse;
        }
        throw fatal(null, "All the JWKs in the JWK Set document have the same algorithm (%s), but it is not supported.", parse.getName());
    }

    private String signUsingJWKSetByAlg(JoseGeneratorOptions joseGeneratorOptions, byte[] bArr, List<JWK> list, JWSAlgorithm jWSAlgorithm) throws JOSEException {
        String name;
        JWK jwk = null;
        Iterator<JWK> it = list.iterator();
        while (true) {
            if (!it.hasNext()) {
                break;
            }
            JWK next = it.next();
            if (next != null && next.getAlgorithm() != null && (name = next.getAlgorithm().getName()) != null && name.equals(jWSAlgorithm.getName())) {
                if (next.getKeyID() != null) {
                    jwk = next;
                    break;
                }
                jwk = next;
            }
        }
        if (jwk == null) {
            return null;
        }
        if (jwk.getKeyID() == null || !haveDuplicateKid(list, jwk.getKeyID())) {
            return signUsingJWK(joseGeneratorOptions, bArr, jwk);
        }
        throw fatal(null, "The JWK Set document contains multiple JWKs that have the same key ID (%s).", jwk.getKeyID());
    }

    private JWK findJwkByKid(JoseGeneratorOptions joseGeneratorOptions, List<JWK> list, String str) {
        JWK jwk = null;
        for (JWK jwk2 : list) {
            if (jwk2 != null && str.equals(jwk2.getKeyID())) {
                if (jwk != null) {
                    throw fatal(null, "The JWK Set document contains JWKs with the same key ID (%s).", str);
                }
                jwk = jwk2;
            }
        }
        if (jwk == null) {
            throw fatal(null, "The JWK Set document does not contain a JWK having the key ID (%s).", str);
        }
        verbose(joseGeneratorOptions, "A JWK having the key ID (%s) was found in the JWK Set document.", str);
        return jwk;
    }

    private boolean haveSameAlgorithm(List<JWK> list) {
        String name;
        String str = null;
        for (JWK jwk : list) {
            if (jwk == null || jwk.getAlgorithm() == null || (name = jwk.getAlgorithm().getName()) == null) {
                return false;
            }
            if (str == null) {
                str = name;
            } else if (!str.equals(name)) {
                return false;
            }
        }
        return str != null;
    }

    private boolean haveDuplicateKid(List<JWK> list, String str) {
        boolean z = false;
        for (JWK jwk : list) {
            if (jwk != null && jwk.getKeyID() != null && jwk.getKeyID().equals(str)) {
                if (z) {
                    return true;
                }
                z = true;
            }
        }
        return false;
    }

    private String signUsingJWKSetByKty(JoseGeneratorOptions joseGeneratorOptions, byte[] bArr, JWKSet jWKSet, JWSAlgorithm jWSAlgorithm) throws JOSEException {
        KeyType forAlgorithm = KeyType.forAlgorithm(jWSAlgorithm);
        List select = new JWKSelector(new JWKMatcher.Builder().keyType(forAlgorithm).hasKeyID(true).build()).select(jWKSet);
        if (select == null || select.size() == 0) {
            select = new JWKSelector(new JWKMatcher.Builder().keyType(forAlgorithm).hasKeyID(false).build()).select(jWKSet);
        }
        if (select == null || select.size() == 0) {
            throw fatal(null, "The JWK Set document does not have any appropriate JWK for the algorithm (%s)", jWSAlgorithm.getName());
        }
        return signUsingJWK(joseGeneratorOptions, bArr, (JWK) select.get(0));
    }

    private JWSObject createJwsObject(JWSAlgorithm jWSAlgorithm, String str, Object obj) {
        return new JWSObject(this.mJwsHeader != null ? this.mJwsHeader : new JWSHeader.Builder(jWSAlgorithm).keyID(str).build(), createPayload(obj));
    }

    private Payload createPayload(Object obj) {
        return obj instanceof byte[] ? new Payload((byte[]) obj) : obj instanceof String ? new Payload((String) obj) : new Payload(obj.toString());
    }

    private String encrypt(JoseGeneratorOptions joseGeneratorOptions, byte[] bArr) {
        verbose(joseGeneratorOptions, "Encrypting.", new Object[0]);
        throw fatal(null, "Encryption is not supported. (under development)", new Object[0]);
    }

    private String unsecure(JoseGeneratorOptions joseGeneratorOptions, byte[] bArr) {
        verbose(joseGeneratorOptions, "Creating an unsecured JWS.", new Object[0]);
        return String.format("%s.%s.", UNSECURED_JWS_HEADER, Base64URL.encode(bArr).toString());
    }

    private void verbose(JoseGeneratorOptions joseGeneratorOptions, String str, Object... objArr) {
        PrintStream standardError;
        if (joseGeneratorOptions.verbose && (standardError = getStandardError()) != null) {
            standardError.print("# ");
            standardError.format(str, objArr);
            standardError.println();
            standardError.flush();
        }
    }

    private RuntimeException fatal(Throwable th, String str, Object... objArr) {
        String format = String.format(str, objArr);
        PrintStream standardError = getStandardError();
        if (standardError != null) {
            if (th != null) {
                th.printStackTrace(standardError);
            }
            standardError.println(format);
        }
        return th != null ? new RuntimeException(format, th) : new RuntimeException(format);
    }

    static {
        initialize();
    }
}
