package com.orientechnologies.orient.core.security;

import com.orientechnologies.common.exception.OException;
import com.orientechnologies.common.exception.OSystemException;
import com.orientechnologies.common.log.OLogManager;
import com.orientechnologies.orient.core.config.OContextConfiguration;
import com.orientechnologies.orient.core.config.OGlobalConfiguration;
import com.orientechnologies.orient.core.metadata.security.OToken;
import com.orientechnologies.orient.core.metadata.security.jwt.OKeyProvider;
import com.orientechnologies.orient.core.metadata.security.jwt.OTokenHeader;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.security.SecureRandom;
import java.util.Base64;
import java.util.HashMap;
import java.util.Map;
import javax.crypto.Mac;

/* loaded from: input_file:com/orientechnologies/orient/core/security/OTokenSignImpl.class */
public class OTokenSignImpl implements OTokenSign {
    public static final String ENCRYPTION_ALGORITHM_DEFAULT = "HmacSHA256";
    private String algorithm;
    private static final ThreadLocal<Map<String, Mac>> threadLocalMac = new MacThreadLocal();
    private final OKeyProvider keyProvider;

    /* loaded from: input_file:com/orientechnologies/orient/core/security/OTokenSignImpl$MacThreadLocal.class */
    private static class MacThreadLocal extends ThreadLocal<Map<String, Mac>> {
        private MacThreadLocal() {
        }

        /* JADX INFO: Access modifiers changed from: protected */
        /* JADX WARN: Can't rename method to resolve collision */
        @Override // java.lang.ThreadLocal
        public Map<String, Mac> initialValue() {
            return new HashMap();
        }
    }

    public OTokenSignImpl(OContextConfiguration oContextConfiguration) {
        this(readKeyFromConfig(oContextConfiguration), oContextConfiguration.getValueAsString(OGlobalConfiguration.NETWORK_TOKEN_ENCRYPTION_ALGORITHM));
    }

    public OTokenSignImpl(byte[] bArr, String str) {
        this.algorithm = ENCRYPTION_ALGORITHM_DEFAULT;
        this.keyProvider = new DefaultKeyProvider(bArr);
        if (str != null) {
            this.algorithm = str;
        }
        try {
            Mac.getInstance(this.algorithm);
        } catch (NoSuchAlgorithmException e) {
            throw new IllegalArgumentException("Can't find encryption algorithm '" + str + "'", e);
        }
    }

    private Mac getLocalMac() {
        Map<String, Mac> map = threadLocalMac.get();
        Mac mac = map.get(this.algorithm);
        if (mac == null) {
            try {
                mac = Mac.getInstance(this.algorithm);
                map.put(this.algorithm, mac);
            } catch (NoSuchAlgorithmException e) {
                throw new IllegalArgumentException("Can't find encryption algorithm '" + this.algorithm + "'", e);
            }
        }
        return mac;
    }

    @Override // com.orientechnologies.orient.core.security.OTokenSign
    public byte[] signToken(OTokenHeader oTokenHeader, byte[] bArr) {
        Mac localMac = getLocalMac();
        try {
            try {
                localMac.init(this.keyProvider.getKey(oTokenHeader));
                byte[] doFinal = localMac.doFinal(bArr);
                localMac.reset();
                return doFinal;
            } catch (Exception e) {
                throw OException.wrapException(new OSystemException("Error on token parsing"), e);
            }
        } catch (Throwable th) {
            localMac.reset();
            throw th;
        }
    }

    @Override // com.orientechnologies.orient.core.security.OTokenSign
    public boolean verifyTokenSign(OParsedToken oParsedToken) {
        OToken token = oParsedToken.getToken();
        byte[] tokenBytes = oParsedToken.getTokenBytes();
        byte[] signature = oParsedToken.getSignature();
        Mac localMac = getLocalMac();
        try {
            try {
                localMac.init(this.keyProvider.getKey(token.getHeader()));
                localMac.update(tokenBytes, 0, tokenBytes.length);
                boolean isEqual = MessageDigest.isEqual(localMac.doFinal(), signature);
                if (!isEqual) {
                    OLogManager.instance().warn(this, "Token signature failure: %s", Base64.getEncoder().encodeToString(tokenBytes));
                }
                return isEqual;
            } catch (RuntimeException e) {
                throw e;
            } catch (Exception e2) {
                throw OException.wrapException(new OSystemException("Token signature cannot be verified"), e2);
            }
        } finally {
            localMac.reset();
        }
    }

    @Override // com.orientechnologies.orient.core.security.OTokenSign
    public String getAlgorithm() {
        return this.algorithm;
    }

    @Override // com.orientechnologies.orient.core.security.OTokenSign
    public String getDefaultKey() {
        return this.keyProvider.getDefaultKey();
    }

    @Override // com.orientechnologies.orient.core.security.OTokenSign
    public String[] getKeys() {
        return this.keyProvider.getKeys();
    }

    public static byte[] readKeyFromConfig(OContextConfiguration oContextConfiguration) {
        byte[] bArr = null;
        String valueAsString = oContextConfiguration.getValueAsString(OGlobalConfiguration.NETWORK_TOKEN_SECRETKEY);
        if (valueAsString == null || valueAsString.length() == 0) {
            valueAsString = oContextConfiguration.getValueAsString(OGlobalConfiguration.OAUTH2_SECRETKEY);
        }
        if (valueAsString != null && valueAsString.length() > 0) {
            bArr = Base64.getUrlDecoder().decode(valueAsString);
        }
        if (bArr == null) {
            bArr = OSecurityManager.digestSHA256(String.valueOf(new SecureRandom().nextLong()));
        }
        return bArr;
    }
}
