package org.apache.kerby.kerberos.provider.token;

import com.nimbusds.jose.EncryptionMethod;
import com.nimbusds.jose.JOSEException;
import com.nimbusds.jose.JWEAlgorithm;
import com.nimbusds.jose.JWEHeader;
import com.nimbusds.jose.JWEObject;
import com.nimbusds.jose.JWSAlgorithm;
import com.nimbusds.jose.JWSHeader;
import com.nimbusds.jose.Payload;
import com.nimbusds.jose.crypto.RSAEncrypter;
import com.nimbusds.jose.crypto.RSASSASigner;
import com.nimbusds.jwt.EncryptedJWT;
import com.nimbusds.jwt.JWT;
import com.nimbusds.jwt.SignedJWT;
import java.nio.charset.Charset;
import java.security.interfaces.RSAPrivateKey;
import java.security.interfaces.RSAPublicKey;
import java.text.ParseException;
import org.apache.kerby.kerberos.kerb.KrbException;
import org.apache.kerby.kerberos.kerb.provider.TokenEncoder;
import org.apache.kerby.kerberos.kerb.spec.base.AuthToken;

/* loaded from: input_file:org/apache/kerby/kerberos/provider/token/JwtTokenEncoder.class */
public class JwtTokenEncoder implements TokenEncoder {
    private static JWEAlgorithm jweAlgorithm = JWEAlgorithm.RSA_OAEP;
    private static EncryptionMethod encryptionMethod = EncryptionMethod.A128GCM;
    private static JWSAlgorithm jwsAlgorithm = JWSAlgorithm.RS256;
    private RSAPublicKey encryptionKey;
    private RSAPrivateKey signKey;

    public byte[] encodeAsBytes(AuthToken authToken) throws KrbException {
        return encodeAsString(authToken).getBytes(Charset.forName("UTF-8"));
    }

    public String encodeAsString(AuthToken authToken) throws KrbException {
        String serialize;
        if (!(authToken instanceof JwtAuthToken)) {
            throw new KrbException("Unexpected AuthToken, not JwtAuthToken");
        }
        JWT jwt = ((JwtAuthToken) authToken).getJwt();
        if (this.signKey != null) {
            RSASSASigner rSASSASigner = new RSASSASigner(this.signKey);
            try {
                SignedJWT signedJWT = new SignedJWT(new JWSHeader(jwsAlgorithm), jwt.getJWTClaimsSet());
                try {
                    signedJWT.sign(rSASSASigner);
                    if (this.encryptionKey != null) {
                        JWEObject jWEObject = new JWEObject(new JWEHeader.Builder(jweAlgorithm, encryptionMethod).contentType("JWT").build(), new Payload(signedJWT));
                        try {
                            jWEObject.encrypt(new RSAEncrypter(this.encryptionKey));
                            serialize = jWEObject.serialize();
                        } catch (JOSEException e) {
                            throw new KrbException("Failed to encrypt the JWE object", e);
                        }
                    } else {
                        serialize = signedJWT.serialize();
                    }
                } catch (JOSEException e2) {
                    throw new KrbException("Failed to sign the Signed JWT", e2);
                }
            } catch (ParseException e3) {
                throw new KrbException("Failed to get JWT claims set", e3);
            }
        } else if (this.encryptionKey != null) {
            try {
                EncryptedJWT encryptedJWT = new EncryptedJWT(new JWEHeader(jweAlgorithm, encryptionMethod), jwt.getJWTClaimsSet());
                try {
                    encryptedJWT.encrypt(new RSAEncrypter(this.encryptionKey));
                    serialize = encryptedJWT.serialize();
                } catch (JOSEException e4) {
                    throw new KrbException("Failed to encrypt the encrypted JWT", e4);
                }
            } catch (ParseException e5) {
                throw new KrbException("Failed to get JWT claims set", e5);
            }
        } else {
            serialize = jwt.serialize();
        }
        return serialize;
    }

    public void setEncryptionKey(RSAPublicKey rSAPublicKey) {
        this.encryptionKey = rSAPublicKey;
    }

    public void setSignKey(RSAPrivateKey rSAPrivateKey) {
        this.signKey = rSAPrivateKey;
    }
}
