package org.juiser.jwt.config;

import io.jsonwebtoken.SignatureAlgorithm;
import io.jsonwebtoken.impl.TextCodec;
import io.jsonwebtoken.lang.Assert;
import io.jsonwebtoken.lang.Classes;
import io.jsonwebtoken.lang.RuntimeEnvironment;
import io.jsonwebtoken.lang.Strings;
import java.io.ByteArrayInputStream;
import java.nio.charset.StandardCharsets;
import java.security.Key;
import java.security.PublicKey;
import java.security.interfaces.ECKey;
import java.security.interfaces.RSAKey;
import java.util.function.Function;
import javax.crypto.spec.SecretKeySpec;
import org.juiser.io.DefaultResource;
import org.juiser.io.Resource;
import org.juiser.io.ResourceLoader;
import org.juiser.jwt.AlgorithmFamily;

/* loaded from: input_file:org/juiser/jwt/config/ConfigJwkResolver.class */
public class ConfigJwkResolver implements Function<JwkConfig, Key> {
    private final ResourceLoader resourceLoader;

    public ConfigJwkResolver(ResourceLoader resourceLoader) {
        Assert.notNull(resourceLoader);
        this.resourceLoader = resourceLoader;
    }

    @Override // java.util.function.Function
    public Key apply(JwkConfig jwkConfig) {
        Key key = null;
        AlgorithmFamily algorithmFamily = null;
        String algFamily = jwkConfig.getAlgFamily();
        if (Strings.hasText(algFamily)) {
            try {
                algorithmFamily = AlgorithmFamily.forName(algFamily);
            } catch (IllegalArgumentException e) {
                throw new IllegalArgumentException("Unsupported juiser.header.jwt.jwk.algFamily value: " + algFamily + ".  Please use only " + AlgorithmFamily.class.getName() + " enum names: " + Strings.arrayToCommaDelimitedString(AlgorithmFamily.values()), e);
            }
        }
        byte[] bArr = null;
        Resource resource = getResource(jwkConfig);
        String value = jwkConfig.getValue();
        boolean hasText = Strings.hasText(value);
        if (resource != null && hasText) {
            throw new IllegalArgumentException("Both the juiser.header.jwt.key.value and juiser.header.jwt.key.resource properties may not be set simultaneously.  Please choose one.");
        }
        if (hasText) {
            String encoding = jwkConfig.getEncoding();
            if (value.startsWith(PemResourceKeyResolver.PEM_PREFIX)) {
                encoding = "pem";
            }
            if (encoding == null) {
                encoding = "base64url";
            }
            if (encoding.equalsIgnoreCase("base64url")) {
                bArr = TextCodec.BASE64URL.decode(value);
            } else if (encoding.equalsIgnoreCase("base64")) {
                bArr = TextCodec.BASE64.decode(value);
            } else if (encoding.equalsIgnoreCase("utf8")) {
                bArr = value.getBytes(StandardCharsets.UTF_8);
            } else {
                if (!encoding.equalsIgnoreCase("pem")) {
                    throw new IllegalArgumentException("Unsupported encoding '" + encoding + "'.  Supported encodings: base64url, base64, utf8, pem.");
                }
                resource = new DefaultResource(new ByteArrayInputStream(value.getBytes(StandardCharsets.UTF_8)), "juiser.header.jwt.key.value");
            }
        }
        if (bArr != null && bArr.length > 0) {
            if (algorithmFamily == null) {
                algorithmFamily = AlgorithmFamily.HMAC;
            }
            if (!algorithmFamily.equals(AlgorithmFamily.HMAC)) {
                String name = algorithmFamily.name();
                throw new IllegalArgumentException("It appears that the juiser.header.jwt.key.value is a shared (symmetric) secret key, and this requires the juiser.header.jwt.key.algFamily value to equal HMAC. The specified juiser.header.jwt.key.algFamily value is " + name + ". If you wish to use the " + name + " algorithm, please ensure that either 1) juiser.header.jwt.key.value is a public asymmetric PEM-encoded string, or 2) set the juiser.header.jwt.key.resource property to a Resource path where the PEM-encoded public key file resides, or or 3) define a bean named 'juiserForwardedAccountJwtSigningKey' that returns an " + name + " private key instance.");
            }
            key = new SecretKeySpec(bArr, getAlgorithm(bArr).getJcaName());
        }
        if (resource != null) {
            Function<Resource, Key> createResourceKeyFunction = createResourceKeyFunction(resource, hasText);
            Assert.notNull(createResourceKeyFunction, "resourceKeyResolver instance cannot be null.");
            key = createResourceKeyFunction.apply(resource);
            if (key == null) {
                throw new IllegalStateException("Resource to Key resolver/function did not return a key for specified resource [" + resource + "].  If providing your own implementation of this function, ensure it does not return null.");
            }
            Assert.notNull(key, "ResourceKeyResolver function did not return a key for specified resource [" + resource + "]");
            if (algorithmFamily == null) {
                if (key instanceof RSAKey) {
                    algorithmFamily = AlgorithmFamily.RSA;
                } else {
                    if (!(key instanceof ECKey)) {
                        throw new IllegalArgumentException("Unable to detect jwt signing key type to provide a default signature algorithm.  Please specify the juiser.header.jwt.key.algFamily property.");
                    }
                    algorithmFamily = AlgorithmFamily.EC;
                }
            }
            if ((key instanceof RSAKey) && !algorithmFamily.equals(AlgorithmFamily.RSA)) {
                throw new IllegalArgumentException("Signature algorithm family [" + algorithmFamily + "] is not compatible with the specified RSA key.");
            }
            if ((key instanceof ECKey) && !algorithmFamily.equals(AlgorithmFamily.EC)) {
                throw new IllegalArgumentException("Signature algorithm family [" + algorithmFamily + "] is not compatible with the specified Elliptic Curve key.");
            }
            Assert.isTrue(key instanceof PublicKey, "Specified asymmetric signature verification key is not a PublicKey.  Please ensure you specify a public (not private) key.");
        }
        return key;
    }

    private Resource getResource(JwkConfig jwkConfig) {
        if (!jwkConfig.isEnabled()) {
            return null;
        }
        String resource = jwkConfig.getResource();
        if (!Strings.hasText(resource)) {
            return null;
        }
        try {
            return this.resourceLoader.getResource(resource);
        } catch (Exception e) {
            throw new IllegalArgumentException("Unable to load juiser.header.jwt.key.resource [" + resource + "].", e);
        }
    }

    protected boolean isClassAvailable(String str) {
        return Classes.isAvailable(str);
    }

    protected Function<Resource, Key> createResourceKeyFunction(Resource resource, boolean z) {
        if (!isClassAvailable("org.bouncycastle.openssl.PEMParser")) {
            throw new IllegalStateException("The org.bouncycastle:bcpkix-jdk15on:1.56 artifact (or newer) must be in the classpath to be able to parse the " + (z ? "juiser.header.jwt.key.value PEM-encoded value" : "juiser.header.jwt.key.resource [" + resource + "]."));
        }
        RuntimeEnvironment.enableBouncyCastleIfPossible();
        return new PemResourceKeyResolver();
    }

    static SignatureAlgorithm getAlgorithm(byte[] bArr) {
        Assert.isTrue(bArr != null && bArr.length > 0, "hmacSigningBytes cannot be null or empty.");
        return bArr.length >= 64 ? SignatureAlgorithm.HS512 : bArr.length >= 48 ? SignatureAlgorithm.HS384 : SignatureAlgorithm.HS256;
    }
}
