package io.helidon.security.jwt.jwk;

import io.helidon.security.jwt.JwtException;
import io.helidon.security.jwt.JwtUtil;
import io.helidon.security.jwt.jwk.Jwk;
import jakarta.json.JsonObject;
import java.io.ByteArrayInputStream;
import java.lang.System;
import java.net.URI;
import java.security.PrivateKey;
import java.security.PublicKey;
import java.security.Signature;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.util.Base64;
import java.util.Collections;
import java.util.LinkedList;
import java.util.List;
import java.util.Optional;

/* JADX INFO: Access modifiers changed from: package-private */
/* loaded from: input_file:io/helidon/security/jwt/jwk/JwkPki.class */
public abstract class JwkPki extends Jwk {
    public static final String PARAM_X509_CHAIN_URL = "x5u";
    public static final String PARAM_X509_CHAIN = "x5c";
    public static final String PARAM_X509_SHA_1 = "x5t";
    public static final String PARAM_X509_SHA_256 = "x5t#S256";
    private static final System.Logger LOGGER = System.getLogger(JwkPki.class.getName());
    private static final Base64.Decoder DECODER = Base64.getDecoder();
    private final Optional<PrivateKey> privateKey;
    private final PublicKey publicKey;
    private final Optional<List<X509Certificate>> certificateChain;
    private final Optional<byte[]> sha1Thumbprint;
    private final Optional<byte[]> sha256Thumbprint;

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:io/helidon/security/jwt/jwk/JwkPki$Builder.class */
    public static class Builder<T extends Builder<T>> extends Jwk.Builder<T> {
        private final T myInstance = this;
        private List<X509Certificate> certificateChain;
        private byte[] sha1Thumbprint;
        private byte[] sha256Thumbprint;

        private static List<X509Certificate> processCertChain(List<String> list) {
            LinkedList linkedList = new LinkedList();
            try {
                CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509");
                list.forEach(str -> {
                    try {
                        linkedList.add((X509Certificate) certificateFactory.generateCertificate(new ByteArrayInputStream(JwkPki.DECODER.decode(str))));
                    } catch (CertificateException e) {
                        throw new JwtException("Failed to read certificate from JWK", e);
                    }
                });
                return linkedList;
            } catch (CertificateException e) {
                throw new JwtException("Failed to get certificate factory. This is JVM misconfiguration", e);
            }
        }

        private static List<X509Certificate> processCertChain(URI uri) {
            JwkPki.LOGGER.log(System.Logger.Level.ERROR, "Certificate chain from URL is not (yet) supported");
            return new LinkedList();
        }

        public T certificateChain(List<X509Certificate> list) {
            if (null == this.certificateChain) {
                this.certificateChain = new LinkedList();
            } else {
                this.certificateChain.clear();
            }
            this.certificateChain.addAll(list);
            return this.myInstance;
        }

        public T addCertificateChain(X509Certificate x509Certificate) {
            if (null == this.certificateChain) {
                this.certificateChain = new LinkedList();
            }
            this.certificateChain.add(x509Certificate);
            return this.myInstance;
        }

        public T sha1Thumbprint(byte[] bArr) {
            this.sha1Thumbprint = bArr;
            return this.myInstance;
        }

        public T sha256Thumbprint(byte[] bArr) {
            this.sha256Thumbprint = bArr;
            return this.myInstance;
        }

        /* JADX INFO: Access modifiers changed from: package-private */
        @Override // io.helidon.security.jwt.jwk.Jwk.Builder
        public T fromJson(JsonObject jsonObject) {
            super.fromJson(jsonObject);
            JwtUtil.getString(jsonObject, JwkPki.PARAM_X509_CHAIN_URL).map(URI::create).map(Builder::processCertChain).or(() -> {
                return JwtUtil.getStrings(jsonObject, JwkPki.PARAM_X509_CHAIN).map(Builder::processCertChain);
            }).ifPresent(this::certificateChain);
            this.sha1Thumbprint = JwtUtil.getByteArray(jsonObject, JwkPki.PARAM_X509_SHA_1, "SHA-1 Certificate Thumbprint").orElse(null);
            this.sha256Thumbprint = JwtUtil.getByteArray(jsonObject, JwkPki.PARAM_X509_SHA_256, "SHA-256 Certificate Thumbprint").orElse(null);
            return this.myInstance;
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public JwkPki(Builder<?> builder, PrivateKey privateKey, PublicKey publicKey, String str) {
        super(builder, str);
        this.privateKey = Optional.ofNullable(privateKey);
        this.publicKey = publicKey;
        this.certificateChain = Optional.ofNullable(((Builder) builder).certificateChain).map(Collections::unmodifiableList);
        this.sha1Thumbprint = Optional.ofNullable(((Builder) builder).sha1Thumbprint);
        this.sha256Thumbprint = Optional.ofNullable(((Builder) builder).sha256Thumbprint);
    }

    public Optional<PrivateKey> privateKey() {
        return this.privateKey;
    }

    public PublicKey publicKey() {
        return this.publicKey;
    }

    public Optional<List<X509Certificate>> certificateChain() {
        return this.certificateChain;
    }

    public Optional<byte[]> sha1Thumbprint() {
        return this.sha1Thumbprint;
    }

    public Optional<byte[]> sha256Thumbprint() {
        return this.sha256Thumbprint;
    }

    abstract String signatureAlgorithm();

    @Override // io.helidon.security.jwt.jwk.Jwk
    public boolean doVerify(byte[] bArr, byte[] bArr2) {
        String signatureAlgorithm = signatureAlgorithm();
        if (Jwk.ALG_NONE.equals(signatureAlgorithm)) {
            return verifyNoneAlg(bArr2);
        }
        Signature signature = JwtUtil.getSignature(signatureAlgorithm);
        try {
            signature.initVerify(this.publicKey);
            signature.update(bArr);
            return signature.verify(bArr2);
        } catch (Exception e) {
            throw new JwtException("Failed to verify signature. It may still be valid, but an exception was thrown", e);
        }
    }

    @Override // io.helidon.security.jwt.jwk.Jwk
    public byte[] doSign(byte[] bArr) {
        String signatureAlgorithm = signatureAlgorithm();
        if (Jwk.ALG_NONE.equals(signatureAlgorithm)) {
            return EMPTY_BYTES;
        }
        Signature signature = JwtUtil.getSignature(signatureAlgorithm);
        try {
            signature.initSign(this.privateKey.orElseThrow(() -> {
                return new JwtException("To sign data, private key MUST be present");
            }));
            signature.update(bArr);
            return signature.sign();
        } catch (Exception e) {
            throw new JwtException("Failed to sign data", e);
        }
    }
}
