package org.apache.cxf.rs.security.oauth2.tokens.jwt;

import java.security.interfaces.RSAPrivateKey;
import java.security.interfaces.RSAPublicKey;
import java.util.Iterator;
import java.util.List;
import javax.crypto.SecretKey;
import org.apache.cxf.common.util.StringUtils;
import org.apache.cxf.rs.security.jose.jwa.ContentAlgorithm;
import org.apache.cxf.rs.security.jose.jwa.SignatureAlgorithm;
import org.apache.cxf.rs.security.jose.jwe.JweDecryptionProvider;
import org.apache.cxf.rs.security.jose.jwe.JweEncryptionProvider;
import org.apache.cxf.rs.security.jose.jwe.JweUtils;
import org.apache.cxf.rs.security.jose.jws.JwsJwtCompactConsumer;
import org.apache.cxf.rs.security.jose.jws.JwsJwtCompactProducer;
import org.apache.cxf.rs.security.jose.jws.JwsSignatureProvider;
import org.apache.cxf.rs.security.jose.jws.JwsSignatureVerifier;
import org.apache.cxf.rs.security.jose.jws.JwsUtils;
import org.apache.cxf.rs.security.jose.jws.NoneJwsSignatureProvider;
import org.apache.cxf.rs.security.jose.jwt.JwtClaims;
import org.apache.cxf.rs.security.jose.jwt.JwtToken;
import org.apache.cxf.rs.security.oauth2.common.Client;
import org.apache.cxf.rs.security.oauth2.common.ServerAccessToken;
import org.apache.cxf.rs.security.oauth2.tokens.bearer.BearerAccessToken;

/* loaded from: input_file:lib/cxf-rt-rs-security-oauth2-3.1.5.jar:org/apache/cxf/rs/security/oauth2/tokens/jwt/JwtAccessTokenUtils.class */
public final class JwtAccessTokenUtils {
    private JwtAccessTokenUtils() {
    }

    public static ServerAccessToken encryptToAccessToken(JwtToken jwtToken, Client client, SecretKey secretKey) {
        return encryptToAccessToken(jwtToken, client, JweUtils.getDirectKeyJweEncryption(secretKey, ContentAlgorithm.A128GCM));
    }

    public static ServerAccessToken encryptToAccessToken(JwtToken jwtToken, Client client, JweEncryptionProvider jweEncryptionProvider) {
        return toAccessToken(jwtToken, client, jweEncryptionProvider.encrypt(getBytes(new JwsJwtCompactProducer(jwtToken).signWith(new NoneJwsSignatureProvider())), null));
    }

    private static ServerAccessToken toAccessToken(JwtToken jwtToken, Client client, String str) {
        JwtClaims claims = jwtToken.getClaims();
        validateJwtSubjectAndAudience(claims, client);
        Long issuedAt = claims.getIssuedAt();
        return new BearerAccessToken(client, str, issuedAt.longValue(), Long.valueOf(claims.getNotBefore().longValue() - issuedAt.longValue()).longValue());
    }

    public static JwtToken decryptFromfromAccessToken(String str, SecretKey secretKey) {
        return decryptFromAccessToken(str, JweUtils.getDirectKeyJweDecryption(secretKey, ContentAlgorithm.A128GCM));
    }

    public static JwtToken decryptFromAccessToken(String str, JweDecryptionProvider jweDecryptionProvider) {
        return new JwsJwtCompactConsumer(jweDecryptionProvider.decrypt(str).getContentText()).getJwtToken();
    }

    public static ServerAccessToken signToAccessToken(JwtToken jwtToken, Client client, RSAPrivateKey rSAPrivateKey) {
        return signToAccessToken(jwtToken, client, JwsUtils.getPrivateKeySignatureProvider(rSAPrivateKey, SignatureAlgorithm.RS256));
    }

    public static ServerAccessToken signToAccessToken(JwtToken jwtToken, Client client, JwsSignatureProvider jwsSignatureProvider) {
        return toAccessToken(jwtToken, client, new JwsJwtCompactProducer(jwtToken).signWith(jwsSignatureProvider));
    }

    public static JwtToken verifyAccessToken(String str, RSAPublicKey rSAPublicKey) {
        return verifyAccessToken(str, JwsUtils.getPublicKeySignatureVerifier(rSAPublicKey, SignatureAlgorithm.RS256));
    }

    public static JwtToken verifyAccessToken(String str, JwsSignatureVerifier jwsSignatureVerifier) {
        JwsJwtCompactConsumer jwsJwtCompactConsumer = new JwsJwtCompactConsumer(str);
        if (jwsJwtCompactConsumer.verifySignatureWith(jwsSignatureVerifier)) {
            return jwsJwtCompactConsumer.getJwtToken();
        }
        throw new SecurityException();
    }

    private static void validateJwtSubjectAndAudience(JwtClaims jwtClaims, Client client) {
        if (jwtClaims.getSubject() == null || !jwtClaims.getSubject().equals(client.getClientId())) {
            throw new SecurityException("Invalid subject");
        }
        List<String> audiences = jwtClaims.getAudiences();
        if (audiences.isEmpty()) {
            throw new SecurityException("Invalid audience");
        }
        if (client.getRegisteredAudiences().isEmpty()) {
            return;
        }
        boolean z = false;
        Iterator<String> it = audiences.iterator();
        while (true) {
            if (!it.hasNext()) {
                break;
            }
            if (client.getRegisteredAudiences().contains(it.next())) {
                z = true;
                break;
            }
        }
        if (!z) {
            throw new SecurityException("Invalid audience");
        }
    }

    private static byte[] getBytes(String str) {
        return StringUtils.toBytesUTF8(str);
    }
}
