package org.eclipse.edc.security.token.jwt;

import com.nimbusds.jose.JOSEException;
import com.nimbusds.jose.JWSAlgorithm;
import com.nimbusds.jose.JWSSigner;
import com.nimbusds.jose.JWSVerifier;
import com.nimbusds.jose.Requirement;
import com.nimbusds.jose.crypto.ECDSASigner;
import com.nimbusds.jose.crypto.ECDSAVerifier;
import com.nimbusds.jose.crypto.Ed25519Signer;
import com.nimbusds.jose.crypto.Ed25519Verifier;
import com.nimbusds.jose.crypto.RSASSASigner;
import com.nimbusds.jose.crypto.RSASSAVerifier;
import com.nimbusds.jose.crypto.bc.BouncyCastleProviderSingleton;
import com.nimbusds.jose.jwk.Curve;
import com.nimbusds.jose.jwk.ECKey;
import com.nimbusds.jose.jwk.JWK;
import com.nimbusds.jose.jwk.KeyUse;
import com.nimbusds.jose.jwk.OctetKeyPair;
import com.nimbusds.jose.jwk.RSAKey;
import com.nimbusds.jose.util.Base64URL;
import java.security.AlgorithmParameters;
import java.security.Key;
import java.security.KeyFactory;
import java.security.KeyPair;
import java.security.NoSuchAlgorithmException;
import java.security.PrivateKey;
import java.security.PublicKey;
import java.security.interfaces.ECPrivateKey;
import java.security.interfaces.ECPublicKey;
import java.security.interfaces.EdECKey;
import java.security.interfaces.EdECPrivateKey;
import java.security.interfaces.EdECPublicKey;
import java.security.interfaces.RSAPrivateCrtKey;
import java.security.interfaces.RSAPublicKey;
import java.security.spec.ECGenParameterSpec;
import java.security.spec.ECPublicKeySpec;
import java.security.spec.EdECPoint;
import java.security.spec.InvalidKeySpecException;
import java.security.spec.InvalidParameterSpecException;
import java.security.spec.RSAPublicKeySpec;
import java.text.ParseException;
import java.util.Arrays;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.Optional;
import org.bouncycastle.jcajce.provider.asymmetric.util.EC5Util;
import org.bouncycastle.math.ec.ECPoint;
import org.eclipse.edc.spi.EdcException;
import org.jetbrains.annotations.NotNull;
import org.jetbrains.annotations.Nullable;

/* loaded from: input_file:org/eclipse/edc/security/token/jwt/CryptoConverter.class */
public class CryptoConverter {
    public static final String ALGORITHM_EC = "EC";
    public static final String ALGORITHM_RSA = "RSA";
    public static final String ALGORITHM_ECDSA = "EdDSA";
    public static final String ALGORITHM_ED25519 = "Ed25519";
    public static final List<String> SUPPORTED_ALGORITHMS = List.of(ALGORITHM_EC, ALGORITHM_RSA, ALGORITHM_ECDSA, ALGORITHM_ED25519);

    public static JWSSigner createSignerFor(PrivateKey privateKey) {
        try {
            String algorithm = privateKey.getAlgorithm();
            boolean z = -1;
            switch (algorithm.hashCode()) {
                case -276032869:
                    if (algorithm.equals(ALGORITHM_ED25519)) {
                        z = 3;
                        break;
                    }
                    break;
                case 2206:
                    if (algorithm.equals(ALGORITHM_EC)) {
                        z = false;
                        break;
                    }
                    break;
                case 81440:
                    if (algorithm.equals(ALGORITHM_RSA)) {
                        z = true;
                        break;
                    }
                    break;
                case 66770035:
                    if (algorithm.equals(ALGORITHM_ECDSA)) {
                        z = 2;
                        break;
                    }
                    break;
            }
            switch (z) {
                case false:
                    return getEcdsaSigner((ECPrivateKey) privateKey);
                case true:
                    return new RSASSASigner(privateKey);
                case true:
                case true:
                    return createEdDsaVerifier(privateKey);
                default:
                    throw new IllegalArgumentException(notSupportedError(privateKey.getAlgorithm()));
            }
        } catch (JOSEException e) {
            throw new EdcException(notSupportedError(privateKey.getAlgorithm()), e);
        }
    }

    @NotNull
    private static ECDSASigner getEcdsaSigner(ECPrivateKey eCPrivateKey) throws JOSEException {
        ECDSASigner eCDSASigner = new ECDSASigner(eCPrivateKey);
        eCDSASigner.getJCAContext().setProvider(BouncyCastleProviderSingleton.getInstance());
        return eCDSASigner;
    }

    public static JWSVerifier createVerifierFor(PublicKey publicKey) {
        try {
            String algorithm = publicKey.getAlgorithm();
            boolean z = -1;
            switch (algorithm.hashCode()) {
                case -276032869:
                    if (algorithm.equals(ALGORITHM_ED25519)) {
                        z = 3;
                        break;
                    }
                    break;
                case 2206:
                    if (algorithm.equals(ALGORITHM_EC)) {
                        z = false;
                        break;
                    }
                    break;
                case 81440:
                    if (algorithm.equals(ALGORITHM_RSA)) {
                        z = true;
                        break;
                    }
                    break;
                case 66770035:
                    if (algorithm.equals(ALGORITHM_ECDSA)) {
                        z = 2;
                        break;
                    }
                    break;
            }
            switch (z) {
                case false:
                    return getEcdsaVerifier((ECPublicKey) publicKey);
                case true:
                    return new RSASSAVerifier((RSAPublicKey) publicKey);
                case true:
                case true:
                    return createEdDsaVerifier(publicKey);
                default:
                    throw new IllegalArgumentException(notSupportedError(publicKey.getAlgorithm()));
            }
        } catch (JOSEException e) {
            throw new EdcException(notSupportedError(publicKey.getAlgorithm()), e);
        }
    }

    public static JWK createJwk(KeyPair keyPair) {
        return createJwk(keyPair, null);
    }

    public static JWK createJwk(KeyPair keyPair, @Nullable String str) {
        if (keyPair.getPrivate() == null && keyPair.getPublic() == null) {
            throw new IllegalArgumentException("Invalid KeyPair: public and private key were both null!");
        }
        String algorithm = ((Key) Optional.ofNullable(keyPair.getPrivate()).orElse(keyPair.getPublic())).getAlgorithm();
        boolean z = -1;
        switch (algorithm.hashCode()) {
            case -276032869:
                if (algorithm.equals(ALGORITHM_ED25519)) {
                    z = 3;
                    break;
                }
                break;
            case 2206:
                if (algorithm.equals(ALGORITHM_EC)) {
                    z = false;
                    break;
                }
                break;
            case 81440:
                if (algorithm.equals(ALGORITHM_RSA)) {
                    z = true;
                    break;
                }
                break;
            case 66770035:
                if (algorithm.equals(ALGORITHM_ECDSA)) {
                    z = 2;
                    break;
                }
                break;
        }
        switch (z) {
            case false:
                return convertEcKey(keyPair, str);
            case true:
                return convertRsaKey(keyPair, str);
            case true:
            case true:
                return convertEdDsaKey(keyPair, str);
            default:
                throw new IllegalArgumentException(notSupportedError(keyPair.getPublic().getAlgorithm()));
        }
    }

    public static JWSAlgorithm getRecommendedAlgorithm(JWSSigner jWSSigner) {
        return getWithRequirement(jWSSigner, Requirement.REQUIRED).orElseGet(() -> {
            return getWithRequirement(jWSSigner, Requirement.RECOMMENDED).orElseGet(() -> {
                return getWithRequirement(jWSSigner, Requirement.OPTIONAL).orElse(null);
            });
        });
    }

    public static JWK create(Map<String, Object> map) {
        if (map == null) {
            return null;
        }
        try {
            return JWK.parse(map);
        } catch (ParseException e) {
            throw new RuntimeException(e);
        }
    }

    public static JWK create(String str) {
        if (str == null) {
            return null;
        }
        try {
            return JWK.parse(str);
        } catch (ParseException e) {
            throw new RuntimeException(e);
        }
    }

    public static JWSVerifier createVerifier(JWK jwk) {
        Objects.requireNonNull(jwk, "jwk cannot be null");
        String value = jwk.getKeyType().getValue();
        try {
            boolean z = -1;
            switch (value.hashCode()) {
                case 2206:
                    if (value.equals(ALGORITHM_EC)) {
                        z = false;
                        break;
                    }
                    break;
                case 78324:
                    if (value.equals("OKP")) {
                        z = true;
                        break;
                    }
                    break;
                case 81440:
                    if (value.equals(ALGORITHM_RSA)) {
                        z = 2;
                        break;
                    }
                    break;
            }
            switch (z) {
                case false:
                    return new ECDSAVerifier((ECKey) jwk);
                case true:
                    return new Ed25519Verifier((OctetKeyPair) jwk);
                case true:
                    return new RSASSAVerifier((RSAKey) jwk);
                default:
                    throw new UnsupportedOperationException(String.format("Cannot create JWSVerifier for JWK-type [%s], currently only supporting EC, OKP and RSA", value));
            }
        } catch (JOSEException e) {
            throw new UnsupportedOperationException((Throwable) e);
        }
    }

    public static JWSSigner createSigner(JWK jwk) {
        String value = jwk.getKeyType().getValue();
        try {
            boolean z = -1;
            switch (value.hashCode()) {
                case 2206:
                    if (value.equals(ALGORITHM_EC)) {
                        z = false;
                        break;
                    }
                    break;
                case 78324:
                    if (value.equals("OKP")) {
                        z = true;
                        break;
                    }
                    break;
                case 81440:
                    if (value.equals(ALGORITHM_RSA)) {
                        z = 2;
                        break;
                    }
                    break;
            }
            switch (z) {
                case false:
                    return new ECDSASigner((ECKey) jwk);
                case true:
                    return new Ed25519Signer((OctetKeyPair) jwk);
                case true:
                    return new RSASSASigner((RSAKey) jwk);
                default:
                    throw new UnsupportedOperationException(String.format("Cannot create JWSVerifier for JWK-type [%s], currently only supporting EC, OKP and RSA", value));
            }
        } catch (JOSEException e) {
            throw new UnsupportedOperationException((Throwable) e);
        }
    }

    private static Curve getCurveAllowing(EdECKey edECKey, String... strArr) {
        String name = edECKey.getParams().getName();
        if (Arrays.asList(strArr).contains(name)) {
            return Curve.parse(name);
        }
        throw new IllegalArgumentException("Only the following curves is supported: %s.".formatted(String.join(",", strArr)));
    }

    private static RSAKey convertRsaKey(KeyPair keyPair, @Nullable String str) {
        if (keyPair.getPublic() == null && keyPair.getPrivate() == null) {
            throw new IllegalArgumentException("Either the public or the private key of a keypair must be non-null when converting RSA -> JWK");
        }
        RSAKey.Builder builder = new RSAKey.Builder((RSAPublicKey) ((PublicKey) Optional.ofNullable(keyPair.getPublic()).orElseGet(() -> {
            try {
                return KeyFactory.getInstance(ALGORITHM_RSA).generatePublic(new RSAPublicKeySpec(((RSAPrivateCrtKey) keyPair.getPrivate()).getModulus(), ((RSAPrivateCrtKey) keyPair.getPrivate()).getPublicExponent()));
            } catch (NoSuchAlgorithmException | InvalidKeySpecException e) {
                throw new RuntimeException(e);
            }
        })));
        if (keyPair.getPrivate() != null) {
            builder.privateKey(keyPair.getPrivate());
        }
        return builder.keyID(str).keyUse(KeyUse.SIGNATURE).build();
    }

    private static ECKey convertEcKey(KeyPair keyPair, @Nullable String str) {
        ECPublicKey eCPublicKey = (ECPublicKey) keyPair.getPublic();
        ECPrivateKey eCPrivateKey = (ECPrivateKey) keyPair.getPrivate();
        java.security.interfaces.ECKey eCKey = (java.security.interfaces.ECKey) Optional.ofNullable(eCPublicKey).orElse(eCPrivateKey);
        try {
            AlgorithmParameters algorithmParameters = AlgorithmParameters.getInstance(ALGORITHM_EC);
            algorithmParameters.init(eCKey.getParams());
            String name = ((ECGenParameterSpec) algorithmParameters.getParameterSpec(ECGenParameterSpec.class)).getName();
            if (eCPublicKey == null) {
                ECPoint normalize = EC5Util.convertSpec(eCPrivateKey.getParams()).getG().multiply(eCPrivateKey.getS()).normalize();
                eCPublicKey = (ECPublicKey) KeyFactory.getInstance(ALGORITHM_EC).generatePublic(new ECPublicKeySpec(new java.security.spec.ECPoint(normalize.getAffineXCoord().toBigInteger(), normalize.getAffineYCoord().toBigInteger()), eCPrivateKey.getParams()));
            }
            return new ECKey.Builder(Curve.forOID(name), eCPublicKey).privateKey(eCPrivateKey).keyID(str).keyUse(KeyUse.SIGNATURE).build();
        } catch (NoSuchAlgorithmException | InvalidKeySpecException | InvalidParameterSpecException e) {
            throw new IllegalArgumentException(e);
        }
    }

    private static byte[] reverseArray(byte[] bArr) {
        for (int i = 0; i < bArr.length / 2; i++) {
            byte b = bArr[i];
            bArr[i] = bArr[(bArr.length - 1) - i];
            bArr[(bArr.length - 1) - i] = b;
        }
        return bArr;
    }

    private static Ed25519Verifier createEdDsaVerifier(PublicKey publicKey) throws JOSEException {
        EdECPublicKey edECPublicKey = (EdECPublicKey) publicKey;
        return new Ed25519Verifier(new OctetKeyPair.Builder(getCurveAllowing(edECPublicKey, ALGORITHM_ED25519), encodeX(edECPublicKey.getPoint())).build());
    }

    @NotNull
    private static ECDSAVerifier getEcdsaVerifier(ECPublicKey eCPublicKey) throws JOSEException {
        ECDSAVerifier eCDSAVerifier = new ECDSAVerifier(eCPublicKey);
        eCDSAVerifier.getJCAContext().setProvider(BouncyCastleProviderSingleton.getInstance());
        return eCDSAVerifier;
    }

    @NotNull
    private static Optional<JWSAlgorithm> getWithRequirement(JWSSigner jWSSigner, Requirement requirement) {
        return jWSSigner.supportedJWSAlgorithms().stream().filter(jWSAlgorithm -> {
            return jWSAlgorithm.getRequirement() == requirement;
        }).findFirst();
    }

    private static Ed25519Signer createEdDsaVerifier(PrivateKey privateKey) throws JOSEException {
        EdECPrivateKey edECPrivateKey = (EdECPrivateKey) privateKey;
        return new Ed25519Signer(new OctetKeyPair.Builder(getCurveAllowing(edECPrivateKey, ALGORITHM_ED25519), Base64URL.encode(new byte[0])).d(encodeD(edECPrivateKey)).build());
    }

    private static OctetKeyPair convertEdDsaKey(KeyPair keyPair, @Nullable String str) {
        EdECPublicKey edECPublicKey = (EdECPublicKey) keyPair.getPublic();
        EdECPrivateKey edECPrivateKey = (EdECPrivateKey) keyPair.getPrivate();
        Base64URL base64URL = (Base64URL) Optional.ofNullable(edECPublicKey).map(edECPublicKey2 -> {
            return encodeX(edECPublicKey2.getPoint());
        }).orElseGet(() -> {
            return Base64URL.encode(new byte[0]);
        });
        return new OctetKeyPair.Builder(Curve.parse(((EdECKey) Optional.ofNullable(edECPrivateKey).orElse(edECPublicKey)).getParams().getName()), base64URL).d((Base64URL) Optional.ofNullable(edECPrivateKey).map(CryptoConverter::encodeD).orElse(null)).keyID(str).build();
    }

    @NotNull
    private static Base64URL encodeD(EdECPrivateKey edECPrivateKey) {
        return Base64URL.encode(edECPrivateKey.getBytes().orElseThrow(() -> {
            return new EdcException("Private key is not willing to disclose its bytes");
        }));
    }

    /* JADX INFO: Access modifiers changed from: private */
    @NotNull
    public static Base64URL encodeX(EdECPoint edECPoint) {
        byte[] reverseArray = reverseArray(edECPoint.getY().toByteArray());
        if (edECPoint.isXOdd()) {
            int length = reverseArray.length - 1;
            reverseArray[length] = (byte) (reverseArray[length] ^ Byte.MIN_VALUE);
        }
        return Base64URL.encode(reverseArray);
    }

    private static String notSupportedError(String str) {
        return "Could not convert PrivateKey to a JWSSigner, currently only the following types are supported: %s. The specified key was a %s".formatted(String.join(",", SUPPORTED_ALGORITHMS), str);
    }
}
