package org.apache.geronimo.microprofile.impl.jwtauth.jwt;

import java.nio.charset.StandardCharsets;
import java.security.KeyFactory;
import java.security.PublicKey;
import java.security.Signature;
import java.security.spec.X509EncodedKeySpec;
import java.util.Arrays;
import java.util.Base64;
import java.util.Locale;
import java.util.Set;
import java.util.concurrent.ConcurrentHashMap;
import java.util.concurrent.ConcurrentMap;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import javax.annotation.PostConstruct;
import javax.crypto.Mac;
import javax.crypto.SecretKey;
import javax.crypto.spec.SecretKeySpec;
import javax.enterprise.context.ApplicationScoped;
import javax.inject.Inject;
import org.apache.geronimo.microprofile.impl.jwtauth.JwtException;
import org.apache.geronimo.microprofile.impl.jwtauth.config.GeronimoJwtAuthConfig;

@ApplicationScoped
/* loaded from: input_file:org/apache/geronimo/microprofile/impl/jwtauth/jwt/SignatureValidator.class */
public class SignatureValidator {

    @Inject
    private GeronimoJwtAuthConfig config;
    private Set<String> supportedAlgorithms;
    private String jcaProvider;
    private boolean useCache;
    private final ConcurrentMap<String, PublicKey> publicKeyCache = new ConcurrentHashMap();

    @PostConstruct
    private void init() {
        this.useCache = Boolean.parseBoolean(this.config.read("public-key.cache.active", "true"));
        this.supportedAlgorithms = (Set) Stream.of((Object[]) this.config.read("header.alg.supported", "RS256").split(",")).map((v0) -> {
            return v0.trim();
        }).map(str -> {
            return str.toLowerCase(Locale.ROOT);
        }).filter(str2 -> {
            return !str2.isEmpty();
        }).collect(Collectors.toSet());
        this.jcaProvider = this.config.read("jca.provider", null);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public void verifySignature(String str, String str2, String str3, String str4) {
        String lowerCase = str.toLowerCase(Locale.ROOT);
        if (!this.supportedAlgorithms.contains(lowerCase)) {
            throw new JwtException("Unsupported algorithm", 401);
        }
        boolean z = -1;
        switch (lowerCase.hashCode()) {
            case 96751333:
                if (lowerCase.equals("es256")) {
                    z = 6;
                    break;
                }
                break;
            case 96752385:
                if (lowerCase.equals("es384")) {
                    z = 7;
                    break;
                }
                break;
            case 96754088:
                if (lowerCase.equals("es512")) {
                    z = 8;
                    break;
                }
                break;
            case 99521896:
                if (lowerCase.equals("hs256")) {
                    z = 3;
                    break;
                }
                break;
            case 99522948:
                if (lowerCase.equals("hs384")) {
                    z = 4;
                    break;
                }
                break;
            case 99524651:
                if (lowerCase.equals("hs512")) {
                    z = 5;
                    break;
                }
                break;
            case 108757106:
                if (lowerCase.equals("rs256")) {
                    z = false;
                    break;
                }
                break;
            case 108758158:
                if (lowerCase.equals("rs384")) {
                    z = true;
                    break;
                }
                break;
            case 108759861:
                if (lowerCase.equals("rs512")) {
                    z = 2;
                    break;
                }
                break;
        }
        switch (z) {
            case false:
                verifySignature(toPublicKey(str2, "RSA"), str3, str4, "SHA256withRSA");
                return;
            case true:
                verifySignature(toPublicKey(str2, "RSA"), str3, str4, "SHA384withRSA");
                return;
            case true:
                verifySignature(toPublicKey(str2, "RSA"), str3, str4, "SHA512withRSA");
                return;
            case true:
                verifyMac(toSecretKey(str2, "HmacSHA256"), str3, str4);
                return;
            case true:
                verifyMac(toSecretKey(str2, "HmacSHA384"), str3, str4);
                return;
            case true:
                verifyMac(toSecretKey(str2, "HmacSHA512"), str3, str4);
                return;
            case true:
                verifySignature(toPublicKey(str2, "EC"), str3, str4, "SHA256withECDSA");
                return;
            case true:
                verifySignature(toPublicKey(str2, "EC"), str3, str4, "SHA384withECDSA");
                return;
            case true:
                verifySignature(toPublicKey(str2, "EC"), str3, str4, "SHA512withECDSA");
                return;
            default:
                throw new IllegalArgumentException("Unsupported algorithm: " + lowerCase);
        }
    }

    private SecretKey toSecretKey(String str, String str2) {
        return new SecretKeySpec(str.getBytes(StandardCharsets.UTF_8), str2);
    }

    private PublicKey toPublicKey(String str, String str2) {
        PublicKey publicKey = this.useCache ? this.publicKeyCache.get(str) : null;
        if (publicKey == null) {
            byte[] decode = Base64.getDecoder().decode(str.replace("-----BEGIN RSA KEY-----", "").replace("-----END RSA KEY-----", "").replace("-----BEGIN PUBLIC KEY-----", "").replace("-----END PUBLIC KEY-----", "").replace("-----BEGIN RSA PUBLIC KEY-----", "").replace("-----END RSA PUBLIC KEY-----", "").replace("\n", "").trim());
            try {
                boolean z = -1;
                switch (str2.hashCode()) {
                    case 2206:
                        if (str2.equals("EC")) {
                            z = true;
                            break;
                        }
                        break;
                    case 81440:
                        if (str2.equals("RSA")) {
                            z = false;
                            break;
                        }
                        break;
                }
                switch (z) {
                    case false:
                        publicKey = KeyFactory.getInstance(str2).generatePublic(new X509EncodedKeySpec(decode));
                        if (this.useCache) {
                            this.publicKeyCache.putIfAbsent(str, publicKey);
                        }
                        break;
                    case true:
                    default:
                        throw new JwtException("Invalid signing", 401);
                }
            } catch (Exception e) {
                throw new JwtException("Invalid signing", 401);
            }
        }
        return publicKey;
    }

    private void verifyMac(SecretKey secretKey, String str, String str2) {
        try {
            Mac mac = this.jcaProvider == null ? Mac.getInstance(secretKey.getAlgorithm()) : Mac.getInstance(secretKey.getAlgorithm(), this.jcaProvider);
            mac.init(secretKey);
            mac.update(str.getBytes(StandardCharsets.UTF_8));
            if (!Arrays.equals(mac.doFinal(), Base64.getUrlDecoder().decode(str2))) {
                invalidSignature();
            }
        } catch (Exception e) {
            invalidSignature();
        }
    }

    private void verifySignature(PublicKey publicKey, String str, String str2, String str3) {
        try {
            Signature signature = this.jcaProvider == null ? Signature.getInstance(str3) : Signature.getInstance(str3, this.jcaProvider);
            signature.initVerify(publicKey);
            signature.update(str.getBytes(StandardCharsets.UTF_8));
            if (!signature.verify(Base64.getUrlDecoder().decode(str2))) {
                invalidSignature();
            }
        } catch (Exception e) {
            invalidSignature();
        }
    }

    private void invalidSignature() {
        throw new JwtException("Invalid signature", 401);
    }
}
