package org.apache.cxf.rs.security.jose.jws;

import java.security.PublicKey;
import java.security.Signature;
import java.security.cert.X509Certificate;
import java.security.spec.AlgorithmParameterSpec;
import java.util.logging.Logger;
import org.apache.cxf.common.logging.LogUtils;
import org.apache.cxf.common.util.StringUtils;
import org.apache.cxf.rs.security.jose.jwa.AlgorithmUtils;
import org.apache.cxf.rs.security.jose.jwa.SignatureAlgorithm;
import org.apache.cxf.rs.security.jose.jws.JwsException;
import org.apache.cxf.rt.security.crypto.CryptoUtils;

/* loaded from: input_file:lib/cxf-shade-9.0.0.RC1.jar:org/apache/cxf/rs/security/jose/jws/PublicKeyJwsSignatureVerifier.class */
public class PublicKeyJwsSignatureVerifier implements JwsSignatureVerifier {
    protected static final Logger LOG = LogUtils.getL7dLogger(PublicKeyJwsSignatureVerifier.class);
    private final PublicKey key;
    private final AlgorithmParameterSpec signatureSpec;
    private final SignatureAlgorithm supportedAlgo;
    private final X509Certificate cert;

    /* loaded from: input_file:lib/cxf-shade-9.0.0.RC1.jar:org/apache/cxf/rs/security/jose/jws/PublicKeyJwsSignatureVerifier$PublicKeyJwsVerificationSignature.class */
    private class PublicKeyJwsVerificationSignature implements JwsVerificationSignature {
        private Signature sig;

        PublicKeyJwsVerificationSignature(Signature signature) {
            this.sig = signature;
        }

        @Override // org.apache.cxf.rs.security.jose.jws.JwsVerificationSignature
        public void update(byte[] bArr, int i, int i2) {
            try {
                this.sig.update(bArr, i, i2);
            } catch (Exception e) {
                throw new JwsException(JwsException.Error.INVALID_SIGNATURE, e);
            }
        }

        @Override // org.apache.cxf.rs.security.jose.jws.JwsVerificationSignature
        public boolean verify(byte[] bArr) {
            try {
                return this.sig.verify(bArr);
            } catch (Exception e) {
                throw new JwsException(JwsException.Error.INVALID_SIGNATURE, e);
            }
        }
    }

    public PublicKeyJwsSignatureVerifier(PublicKey publicKey, SignatureAlgorithm signatureAlgorithm) {
        this(publicKey, (AlgorithmParameterSpec) null, signatureAlgorithm);
    }

    public PublicKeyJwsSignatureVerifier(PublicKey publicKey, AlgorithmParameterSpec algorithmParameterSpec, SignatureAlgorithm signatureAlgorithm) {
        this.key = publicKey;
        this.cert = null;
        this.signatureSpec = algorithmParameterSpec;
        this.supportedAlgo = signatureAlgorithm;
        JwsUtils.checkSignatureKeySize(publicKey);
    }

    public PublicKeyJwsSignatureVerifier(X509Certificate x509Certificate, SignatureAlgorithm signatureAlgorithm) {
        this(x509Certificate, (AlgorithmParameterSpec) null, signatureAlgorithm);
    }

    public PublicKeyJwsSignatureVerifier(X509Certificate x509Certificate, AlgorithmParameterSpec algorithmParameterSpec, SignatureAlgorithm signatureAlgorithm) {
        if (x509Certificate != null) {
            this.key = x509Certificate.getPublicKey();
        } else {
            this.key = null;
        }
        this.cert = x509Certificate;
        this.signatureSpec = algorithmParameterSpec;
        this.supportedAlgo = signatureAlgorithm;
        JwsUtils.checkSignatureKeySize(this.key);
    }

    @Override // org.apache.cxf.rs.security.jose.jws.JwsSignatureVerifier
    public boolean verify(JwsHeaders jwsHeaders, String str, byte[] bArr) {
        try {
            return CryptoUtils.verifySignature(StringUtils.toBytesUTF8(str), bArr, this.key, AlgorithmUtils.toJavaName(checkAlgorithm(jwsHeaders.getSignatureAlgorithm())), this.signatureSpec);
        } catch (Exception e) {
            LOG.warning("Invalid signature: " + e.getMessage());
            throw new JwsException(JwsException.Error.INVALID_SIGNATURE, e);
        }
    }

    protected String checkAlgorithm(SignatureAlgorithm signatureAlgorithm) {
        String jwaName = signatureAlgorithm.getJwaName();
        if (jwaName == null) {
            LOG.warning("Signature algorithm is not set");
            throw new JwsException(JwsException.Error.ALGORITHM_NOT_SET);
        }
        if (isValidAlgorithmFamily(jwaName) && jwaName.equals(this.supportedAlgo.getJwaName())) {
            return jwaName;
        }
        LOG.warning("Invalid signature algorithm: " + jwaName);
        throw new JwsException(JwsException.Error.INVALID_ALGORITHM);
    }

    protected boolean isValidAlgorithmFamily(String str) {
        return AlgorithmUtils.isRsaSign(str);
    }

    @Override // org.apache.cxf.rs.security.jose.jws.JwsSignatureVerifier
    public SignatureAlgorithm getAlgorithm() {
        return this.supportedAlgo;
    }

    public X509Certificate getX509Certificate() {
        return this.cert;
    }

    @Override // org.apache.cxf.rs.security.jose.jws.JwsSignatureVerifier
    public JwsVerificationSignature createJwsVerificationSignature(JwsHeaders jwsHeaders) {
        return new PublicKeyJwsVerificationSignature(CryptoUtils.getVerificationSignature(this.key, AlgorithmUtils.toJavaName(checkAlgorithm(jwsHeaders.getSignatureAlgorithm())), this.signatureSpec));
    }
}
