package org.forgerock.openam.sso.providers.stateless;

import com.sun.identity.configuration.SystemProperties;
import com.sun.identity.setup.AMSetupServlet;
import com.sun.identity.shared.configuration.ISystemProperties;
import java.nio.charset.Charset;
import java.security.Key;
import java.security.KeyPair;
import java.security.interfaces.ECPrivateKey;
import java.security.interfaces.ECPublicKey;
import javax.annotation.Nonnull;
import javax.annotation.concurrent.NotThreadSafe;
import org.forgerock.openam.sdk.org.forgerock.json.jose.jwe.CompressionAlgorithm;
import org.forgerock.openam.sdk.org.forgerock.json.jose.jwe.EncryptionMethod;
import org.forgerock.openam.sdk.org.forgerock.json.jose.jwe.JweAlgorithm;
import org.forgerock.openam.sdk.org.forgerock.json.jose.jwe.JweAlgorithmType;
import org.forgerock.openam.sdk.org.forgerock.json.jose.jws.JwsAlgorithm;
import org.forgerock.openam.sdk.org.forgerock.json.jose.jws.SigningManager;
import org.forgerock.openam.sdk.org.forgerock.json.jose.jws.handlers.SigningHandler;
import org.forgerock.openam.sdk.org.forgerock.util.Reject;
import org.forgerock.openam.sdk.org.forgerock.util.annotations.VisibleForTesting;
import org.forgerock.openam.utils.StringUtils;

/* JADX INFO: Access modifiers changed from: package-private */
@NotThreadSafe
/* loaded from: input_file:WEB-INF/lib/openam-clientsdk-15.0.2.jar:org/forgerock/openam/sso/providers/stateless/JwtSessionMapperBuilder.class */
public class JwtSessionMapperBuilder {
    private static final String ENCRYPTION_METHOD = "org.forgerock.openam.session.stateless.encryption.method";
    private static final String DEFAULT_ENCRYPTION_METHOD = "A128CBC-HS256";
    private static final String RSA_PADDING_METHOD = "org.forgerock.openam.session.stateless.rsa.padding";
    private static final String DEFAULT_RSA_PADDING_METHOD = "RSA-OAEP-256";
    private final SigningManager signingManager;
    private final ISystemProperties systemProperties;
    JwsAlgorithm jwsAlgorithm;
    SigningHandler signingHandler;
    SigningHandler verificationHandler;
    JweAlgorithm jweAlgorithm;
    Key encryptionKey;
    Key decryptionKey;
    EncryptionMethod encryptionMethod;
    CompressionAlgorithm compressionAlgorithm;

    @VisibleForTesting
    JwtSessionMapperBuilder(SigningManager signingManager, ISystemProperties iSystemProperties) {
        this.jwsAlgorithm = JwsAlgorithm.NONE;
        this.signingHandler = new SigningManager().newNopSigningHandler();
        this.verificationHandler = new SigningManager().newNopSigningHandler();
        this.jweAlgorithm = null;
        this.encryptionKey = null;
        this.decryptionKey = null;
        this.encryptionMethod = null;
        this.compressionAlgorithm = CompressionAlgorithm.NONE;
        this.signingManager = signingManager;
        this.systemProperties = iSystemProperties;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public JwtSessionMapperBuilder() {
        this(new SigningManager(), new SystemProperties());
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public JwtSessionMapperBuilder signedUsingRS256(@Nonnull KeyPair keyPair) {
        Reject.ifNull(keyPair, "signingKeyPair must not be null.");
        this.jwsAlgorithm = JwsAlgorithm.RS256;
        this.signingHandler = this.signingManager.newRsaSigningHandler(keyPair.getPrivate());
        this.verificationHandler = this.signingManager.newRsaSigningHandler(keyPair.getPublic());
        return this;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public JwtSessionMapperBuilder signedUsingHS256(@Nonnull String str) {
        signedUsingHSxxx(JwsAlgorithm.HS256, str);
        return this;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public JwtSessionMapperBuilder signedUsingHS384(@Nonnull String str) {
        signedUsingHSxxx(JwsAlgorithm.HS384, str);
        return this;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public JwtSessionMapperBuilder signedUsingHS512(@Nonnull String str) {
        signedUsingHSxxx(JwsAlgorithm.HS512, str);
        return this;
    }

    private void signedUsingHSxxx(@Nonnull JwsAlgorithm jwsAlgorithm, @Nonnull String str) {
        Reject.ifNull(jwsAlgorithm, "jwsAlgorithm must not be null.");
        Reject.ifTrue(StringUtils.isEmpty(str), "sharedSecret must not be null or empty string.");
        byte[] bytes = str.getBytes(Charset.forName("UTF-8"));
        this.jwsAlgorithm = jwsAlgorithm;
        this.signingHandler = this.signingManager.newHmacSigningHandler(bytes);
        this.verificationHandler = this.signingManager.newHmacSigningHandler(bytes);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public JwtSessionMapperBuilder signedUsingES256(@Nonnull KeyPair keyPair) {
        signedUsingESxxx(JwsAlgorithm.ES256, keyPair);
        return this;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public JwtSessionMapperBuilder signedUsingES384(@Nonnull KeyPair keyPair) {
        signedUsingESxxx(JwsAlgorithm.ES384, keyPair);
        return this;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public JwtSessionMapperBuilder signedUsingES512(@Nonnull KeyPair keyPair) {
        signedUsingESxxx(JwsAlgorithm.ES512, keyPair);
        return this;
    }

    private void signedUsingESxxx(@Nonnull JwsAlgorithm jwsAlgorithm, @Nonnull KeyPair keyPair) {
        Reject.ifNull(keyPair, "signingKeyPair must not be null.");
        Reject.ifFalse(keyPair.getPrivate() instanceof ECPrivateKey, "private key is not suitable for " + jwsAlgorithm);
        Reject.ifFalse(keyPair.getPublic() instanceof ECPublicKey, "public key is not suitable for " + jwsAlgorithm);
        this.jwsAlgorithm = jwsAlgorithm;
        this.signingHandler = this.signingManager.newEcdsaSigningHandler((ECPrivateKey) keyPair.getPrivate());
        this.verificationHandler = this.signingManager.newEcdsaVerificationHandler((ECPublicKey) keyPair.getPublic());
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public JwtSessionMapperBuilder encryptedUsingKeyPair(@Nonnull KeyPair keyPair) {
        Reject.ifNull(keyPair, "encryptionKeyPair must not be null.");
        this.encryptionKey = keyPair.getPublic();
        this.decryptionKey = keyPair.getPrivate();
        this.jweAlgorithm = JweAlgorithm.parseAlgorithm(this.systemProperties.getOrDefault(RSA_PADDING_METHOD, DEFAULT_RSA_PADDING_METHOD));
        return this;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public JwtSessionMapperBuilder encryptedUsingKeyWrap(@Nonnull Key key) {
        Reject.ifNull(key, "symmetricEncryptionKey must not be null.");
        this.encryptionKey = key;
        this.decryptionKey = key;
        switch (key.getEncoded().length) {
            case 16:
                this.jweAlgorithm = JweAlgorithm.A128KW;
                break;
            case 24:
                this.jweAlgorithm = JweAlgorithm.A192KW;
                break;
            case 32:
                this.jweAlgorithm = JweAlgorithm.A256KW;
                break;
            default:
                throw new IllegalArgumentException("Invalid key size for AES KeyWrap: must be 128, 192 or 256 bits");
        }
        return this;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public JwtSessionMapperBuilder encryptedUsingDirectKey(@Nonnull Key key) {
        Reject.ifNull(key, "symmetricEncryptionKey must not be null.");
        this.encryptionKey = key;
        this.decryptionKey = key;
        this.jweAlgorithm = JweAlgorithm.DIRECT;
        return this;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public JwtSessionMapperBuilder compressedUsing(CompressionAlgorithm compressionAlgorithm) {
        this.compressionAlgorithm = (CompressionAlgorithm) Reject.checkNotNull(compressionAlgorithm);
        return this;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public JwtSessionMapper build() {
        Reject.ifNull(this.jwsAlgorithm, "jwsAlgorithm must not be null.");
        Reject.ifNull(this.signingHandler, "signingHandler must not be null.");
        Reject.ifNull(this.verificationHandler, "verificationHandler must not be null.");
        if (this.jweAlgorithm != null) {
            this.encryptionMethod = EncryptionMethod.parseMethod(this.systemProperties.getOrDefault(ENCRYPTION_METHOD, DEFAULT_ENCRYPTION_METHOD));
            Reject.ifNull(this.encryptionMethod, "Encryption enabled but no EncryptionMethod specified");
            Reject.ifNull(this.encryptionKey, "Encryption enabled but no encryption key specified");
            Reject.ifNull(this.decryptionKey, "Encryption enabled but no decryption key specified");
            Reject.ifTrue(this.jweAlgorithm.getAlgorithmType() == JweAlgorithmType.RSA && this.jwsAlgorithm == JwsAlgorithm.NONE, "RSA encryption should not be used without a signature");
        } else {
            Reject.ifTrue(this.jwsAlgorithm == JwsAlgorithm.NONE && isConfigured(), "No encryption or signature scheme specified!");
        }
        return new JwtSessionMapper(this);
    }

    @VisibleForTesting
    JwsAlgorithm getJwsAlgorithm() {
        return this.jwsAlgorithm;
    }

    @VisibleForTesting
    boolean isConfigured() {
        return AMSetupServlet.isCurrentConfigurationValid();
    }
}
