package de.governikus.autent.crypto.utils;

import com.nimbusds.jose.EncryptionMethod;
import com.nimbusds.jose.JOSEException;
import com.nimbusds.jose.JWEAlgorithm;
import com.nimbusds.jose.JWEHeader;
import com.nimbusds.jose.JWEObject;
import com.nimbusds.jose.JWSAlgorithm;
import com.nimbusds.jose.JWSHeader;
import com.nimbusds.jose.JWSObject;
import com.nimbusds.jose.JWSSigner;
import com.nimbusds.jose.JWSVerifier;
import com.nimbusds.jose.KeyLengthException;
import com.nimbusds.jose.Payload;
import com.nimbusds.jose.crypto.DirectDecrypter;
import com.nimbusds.jose.crypto.DirectEncrypter;
import com.nimbusds.jose.crypto.MACSigner;
import com.nimbusds.jose.crypto.MACVerifier;
import com.nimbusds.jose.crypto.RSADecrypter;
import com.nimbusds.jose.crypto.RSAEncrypter;
import com.nimbusds.jose.crypto.RSASSASigner;
import com.nimbusds.jose.crypto.RSASSAVerifier;
import com.nimbusds.jwt.EncryptedJWT;
import com.nimbusds.jwt.JWT;
import com.nimbusds.jwt.JWTClaimsSet;
import com.nimbusds.jwt.JWTParser;
import com.nimbusds.jwt.SignedJWT;
import de.governikus.autent.crypto.utils.exceptions.JoseDecryptionException;
import de.governikus.autent.crypto.utils.exceptions.JoseEncryptionException;
import de.governikus.autent.crypto.utils.exceptions.JoseInvalidKeyException;
import de.governikus.autent.crypto.utils.exceptions.JoseSecurityFailureException;
import de.governikus.autent.crypto.utils.exceptions.JoseSignatureException;
import de.governikus.autent.crypto.utils.exceptions.JwtParseException;
import de.governikus.autent.crypto.utils.exceptions.SignatureException;
import java.security.Key;
import java.security.PrivateKey;
import java.security.PublicKey;
import java.security.cert.X509Certificate;
import java.security.interfaces.RSAPrivateKey;
import java.security.interfaces.RSAPublicKey;
import java.text.ParseException;
import javax.crypto.SecretKey;
import lombok.NonNull;
import net.minidev.json.JSONObject;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:de/governikus/autent/crypto/utils/JOSE.class */
public class JOSE {
    private static final Logger log = LoggerFactory.getLogger(JOSE.class);
    private final Key encryptionKey;
    private final Key decryptionKey;
    private final Key signingKey;
    private final Key signatureVerificationKey;

    /* loaded from: input_file:de/governikus/autent/crypto/utils/JOSE$ContentEncryptionAlgorithm.class */
    public enum ContentEncryptionAlgorithm {
        AES_128_GCM(EncryptionMethod.A128GCM),
        AES_192_GCM(EncryptionMethod.A192GCM),
        AES_256_GCM(EncryptionMethod.A256GCM);

        private EncryptionMethod encryptionMethod;

        ContentEncryptionAlgorithm(EncryptionMethod encryptionMethod) {
            this.encryptionMethod = encryptionMethod;
        }

        public EncryptionMethod getEncryptionMethod() {
            return this.encryptionMethod;
        }
    }

    /* loaded from: input_file:de/governikus/autent/crypto/utils/JOSE$KeyWrapAlgorithm.class */
    public enum KeyWrapAlgorithm {
        RSA_OAEP_256(JWEAlgorithm.RSA_OAEP_256);

        private JWEAlgorithm jweAlgorithm;

        KeyWrapAlgorithm(JWEAlgorithm jWEAlgorithm) {
            this.jweAlgorithm = jWEAlgorithm;
        }

        public JWEAlgorithm getJweAlgorithm() {
            return this.jweAlgorithm;
        }
    }

    /* loaded from: input_file:de/governikus/autent/crypto/utils/JOSE$SignatureMessageDigestAlgorithm.class */
    public enum SignatureMessageDigestAlgorithm {
        SHA_256(JWSAlgorithm.RS256),
        SHA_384(JWSAlgorithm.RS384),
        SHA_512(JWSAlgorithm.RS512);

        private JWSAlgorithm jwsAlgorithm;

        SignatureMessageDigestAlgorithm(JWSAlgorithm jWSAlgorithm) {
            this.jwsAlgorithm = jWSAlgorithm;
        }

        public JWSAlgorithm getJwsAlgorithm() {
            return this.jwsAlgorithm;
        }
    }

    public JOSE(PrivateKey privateKey, X509Certificate x509Certificate) {
        this(x509Certificate.getPublicKey(), privateKey, privateKey, x509Certificate.getPublicKey());
    }

    public JOSE(PrivateKey privateKey, PublicKey publicKey) {
        this(publicKey, privateKey, privateKey, publicKey);
    }

    public JOSE(SecretKey secretKey) {
        this(secretKey, secretKey, secretKey, secretKey);
    }

    public JOSE(SecretKey secretKey, SecretKey secretKey2) {
        this(secretKey, secretKey, secretKey2, secretKey2);
    }

    public JOSE(Key key, Key key2, Key key3, Key key4) {
        this.encryptionKey = key;
        this.decryptionKey = key2;
        this.signingKey = key3;
        this.signatureVerificationKey = key4;
        logKeyLengths();
    }

    public static ContentEncryptionAlgorithm determineSymmetricAlgorithm(@NonNull Key key) {
        if (key == null) {
            throw new NullPointerException("secretKey is marked non-null but is null");
        }
        switch (key.getEncoded().length) {
            case 16:
                return ContentEncryptionAlgorithm.AES_128_GCM;
            case 24:
                return ContentEncryptionAlgorithm.AES_192_GCM;
            case 32:
                return ContentEncryptionAlgorithm.AES_256_GCM;
            default:
                throw new JoseInvalidKeyException("key has an invalid length of '" + (key.getEncoded().length * 8) + "'-Bit. Valid key-lengths are [128, 192, 256]");
        }
    }

    public static JWSAlgorithm determineHMACAlgorithm(@NonNull Key key) {
        if (key == null) {
            throw new NullPointerException("secretKey is marked non-null but is null");
        }
        switch (key.getEncoded().length) {
            case 32:
                return JWSAlgorithm.HS256;
            case 48:
                return JWSAlgorithm.HS384;
            case 64:
                return JWSAlgorithm.HS512;
            default:
                throw new JoseInvalidKeyException("key has an invalid length of '" + (key.getEncoded().length * 8) + "'-Bit. Valid key-lengths are [256, 384, 512]. \nNote that the secret does not need to be an AES-key");
        }
    }

    public static boolean isValidHMacSignatureAlgorithm(JWSHeader jWSHeader) {
        JWSAlgorithm algorithm = jWSHeader.getAlgorithm();
        if (algorithm == null) {
            throw new JoseSecurityFailureException("It is not allowed to omit the signature algorithm in the autent-id-connect application");
        }
        String name = algorithm.getName();
        boolean z = -1;
        switch (name.hashCode()) {
            case 69015912:
                if (name.equals("HS256")) {
                    z = false;
                    break;
                }
                break;
            case 69016964:
                if (name.equals("HS384")) {
                    z = true;
                    break;
                }
                break;
            case 69018667:
                if (name.equals("HS512")) {
                    z = 2;
                    break;
                }
                break;
        }
        switch (z) {
            case false:
                return true;
            case true:
                return true;
            case true:
                return true;
            default:
                return false;
        }
    }

    public static boolean isValidRsaSignatureAlgorithm(JWSHeader jWSHeader) {
        JWSAlgorithm algorithm = jWSHeader.getAlgorithm();
        if (algorithm == null) {
            throw new JoseSecurityFailureException("It is not allowed to omit the signature algorithm in the autent-id-connect application");
        }
        String name = algorithm.getName();
        boolean z = -1;
        switch (name.hashCode()) {
            case 78251122:
                if (name.equals("RS256")) {
                    z = false;
                    break;
                }
                break;
            case 78252174:
                if (name.equals("RS384")) {
                    z = true;
                    break;
                }
                break;
            case 78253877:
                if (name.equals("RS512")) {
                    z = 2;
                    break;
                }
                break;
        }
        switch (z) {
            case false:
                return true;
            case true:
                return true;
            case true:
                return true;
            default:
                return false;
        }
    }

    public String encryptWithSymmetrickey(String str) {
        SignedJWT signedJWT;
        JWEHeader build;
        Payload payload;
        if (log.isTraceEnabled()) {
            log.trace("encrypting plain text data with symmetric key {plainData: '{}', encryptionKeyType: '{}'}", str, this.encryptionKey.getClass().getSimpleName());
        }
        if (this.encryptionKey == null) {
            throw new NullPointerException("encryption key must not be null");
        }
        ContentEncryptionAlgorithm determineSymmetricAlgorithm = determineSymmetricAlgorithm(this.encryptionKey);
        if (log.isDebugEnabled()) {
            log.debug("using the {}-algorithm for encryption.", determineSymmetricAlgorithm.getEncryptionMethod().getName());
        }
        try {
            signedJWT = SignedJWT.parse(str);
        } catch (ParseException e) {
            signedJWT = null;
        }
        if (signedJWT == null) {
            build = new JWEHeader(JWEAlgorithm.DIR, determineSymmetricAlgorithm.getEncryptionMethod());
            payload = new Payload(str);
        } else {
            build = new JWEHeader.Builder(JWEAlgorithm.DIR, determineSymmetricAlgorithm.getEncryptionMethod()).contentType("JWT").build();
            payload = new Payload(signedJWT);
        }
        JWEObject jWEObject = new JWEObject(build, payload);
        if (!SecretKey.class.isInstance(this.encryptionKey)) {
            throw new JoseEncryptionException("the encryptionKey is not an instance of SecretKey, it is: " + this.encryptionKey.getClass());
        }
        try {
            jWEObject.encrypt(new DirectEncrypter(this.encryptionKey.getEncoded()));
            return jWEObject.serialize();
        } catch (JOSEException e2) {
            throw new JoseInvalidKeyException("The symmetric key has a length that is not supported by the given algorithm. algorithm: '" + determineSymmetricAlgorithm.getEncryptionMethod() + "', key-length: " + (this.encryptionKey.getEncoded().length * 8), e2);
        }
    }

    public String decryptWithSymmetricKey(String str) {
        if (log.isTraceEnabled()) {
            log.trace("decrypting JWE-token with symmetric key {JWE-token: '{}', encryptionKeyType: '{}'}", str, this.encryptionKey.getClass().getSimpleName());
        }
        if (this.decryptionKey == null) {
            throw new NullPointerException("decryption key must not be null!");
        }
        ContentEncryptionAlgorithm determineSymmetricAlgorithm = determineSymmetricAlgorithm(this.decryptionKey);
        if (log.isDebugEnabled()) {
            log.debug("using the {}-algorithm for decryption.", determineSymmetricAlgorithm.getEncryptionMethod().getName());
        }
        try {
            JWEObject parse = JWEObject.parse(str);
            if (!SecretKey.class.isInstance(this.encryptionKey)) {
                throw new JoseEncryptionException("the encryptionKey is not an instance of SecretKey, it is: " + this.encryptionKey.getClass());
            }
            try {
                parse.decrypt(new DirectDecrypter(this.decryptionKey.getEncoded()));
                return parse.getPayload().toString();
            } catch (JOSEException e) {
                throw new JoseInvalidKeyException("The symmetric key has a length that is not supported by the given algorithm. algorithm: '" + determineSymmetricAlgorithm.getEncryptionMethod() + "', key-length: " + (this.decryptionKey.getEncoded().length * 8), e);
            }
        } catch (ParseException e2) {
            throw new JwtParseException(e2);
        }
    }

    public JSONObject decryptAndValidateSignatureWithRSA(String str) {
        return verifyRsaSignature(decryptWithRSA(str));
    }

    public String encryptAndSignWithRSA(JWTClaimsSet jWTClaimsSet, SignatureMessageDigestAlgorithm signatureMessageDigestAlgorithm, ContentEncryptionAlgorithm contentEncryptionAlgorithm) {
        return encryptWithRSA(signClaimsSetWithRSA(jWTClaimsSet, signatureMessageDigestAlgorithm), contentEncryptionAlgorithm);
    }

    public String signClaimsSetWithHMac(JWTClaimsSet jWTClaimsSet) {
        if (log.isTraceEnabled()) {
            log.trace("signing JWT claimsSet with HMAC {plainData: '{}', encryptionKeyType: '{}'}", jWTClaimsSet.toString(), this.encryptionKey.getClass().getSimpleName());
        }
        JWSAlgorithm determineHMACAlgorithm = determineHMACAlgorithm(this.signingKey);
        if (log.isTraceEnabled()) {
            log.trace("using the HMAC-algorithm: {}", determineHMACAlgorithm);
        }
        try {
            return sign(jWTClaimsSet, new MACSigner(this.signingKey.getEncoded()), determineHMACAlgorithm);
        } catch (KeyLengthException e) {
            throw new JoseInvalidKeyException("the keylength should normally already be checked at this point... please check the code.\n\tkeylength: " + (this.signingKey.getEncoded().length * 8) + "-Bit", e);
        }
    }

    public String encryptWithRSA(JWTClaimsSet jWTClaimsSet, ContentEncryptionAlgorithm contentEncryptionAlgorithm) {
        if (log.isTraceEnabled()) {
            log.trace("encrypting claimsSet with RSA key {plainData: '{}', encryptionKeyType: '{}'}", jWTClaimsSet.toString(), this.encryptionKey.getClass().getSimpleName());
        }
        if (this.decryptionKey == null) {
            throw new NullPointerException("encryption key must not be null!");
        }
        JWEAlgorithm jweAlgorithm = KeyWrapAlgorithm.RSA_OAEP_256.getJweAlgorithm();
        if (log.isDebugEnabled()) {
            log.debug("using the {}-algorithm for encryption.", jweAlgorithm.getName());
        }
        JWEObject jWEObject = new JWEObject(new JWEHeader.Builder(jweAlgorithm, contentEncryptionAlgorithm.getEncryptionMethod()).build(), new Payload(jWTClaimsSet.toJSONObject()));
        if (!RSAPublicKey.class.isInstance(this.encryptionKey)) {
            throw new JoseEncryptionException("the encryptionKey is not an instance of RSAPublicKey, it is: " + this.encryptionKey.getClass());
        }
        try {
            jWEObject.encrypt(new RSAEncrypter((RSAPublicKey) this.encryptionKey));
            return jWEObject.serialize();
        } catch (JOSEException e) {
            throw new JoseEncryptionException("encryption of failed.\n\tRSA-key-wrap-algorithm: " + jweAlgorithm + "\n\tcontent-encryption-algorithm: " + contentEncryptionAlgorithm.name() + "\n\tcontent: " + jWTClaimsSet.toString(), e);
        }
    }

    private String sign(JWTClaimsSet jWTClaimsSet, JWSSigner jWSSigner, JWSAlgorithm jWSAlgorithm) {
        SignedJWT signedJWT = new SignedJWT(new JWSHeader(jWSAlgorithm), jWTClaimsSet);
        try {
            signedJWT.sign(jWSSigner);
            return signedJWT.serialize();
        } catch (JOSEException e) {
            throw new JoseSignatureException("Signature could not be created with given claimSet:\n\tsigning implementation: " + jWSSigner.getClass() + "\n\tsignature-key-length: " + (this.signingKey.getEncoded().length * 8) + "\n\tjws algorithm: " + jWSAlgorithm + "\n\tjwt claims set: " + jWTClaimsSet.toString(), e);
        }
    }

    public String encryptWithRSA(String str, ContentEncryptionAlgorithm contentEncryptionAlgorithm) {
        SignedJWT signedJWT;
        if (log.isTraceEnabled()) {
            log.trace("encrypting simple payload with RSA key {plainData: '{}', encryptionKeyType: '{}'}", str, this.encryptionKey.getClass().getSimpleName());
        }
        if (this.decryptionKey == null) {
            throw new NullPointerException("encryption key must not be null!");
        }
        JWEAlgorithm jweAlgorithm = KeyWrapAlgorithm.RSA_OAEP_256.getJweAlgorithm();
        if (log.isDebugEnabled()) {
            log.debug("using the {}-algorithm for encryption.", jweAlgorithm.getName());
        }
        try {
            signedJWT = SignedJWT.parse(str);
        } catch (ParseException e) {
            signedJWT = null;
        }
        JWEObject jWEObject = signedJWT == null ? new JWEObject(new JWEHeader.Builder(jweAlgorithm, contentEncryptionAlgorithm.getEncryptionMethod()).build(), new Payload(str)) : new JWEObject(new JWEHeader.Builder(jweAlgorithm, contentEncryptionAlgorithm.getEncryptionMethod()).contentType("JWT").build(), new Payload(signedJWT));
        if (!RSAPublicKey.class.isInstance(this.encryptionKey)) {
            throw new JoseEncryptionException("the encryptionKey is not an instance of RSAPublicKey, it is: " + this.encryptionKey.getClass());
        }
        try {
            jWEObject.encrypt(new RSAEncrypter((RSAPublicKey) this.encryptionKey));
            return jWEObject.serialize();
        } catch (JOSEException e2) {
            throw new JoseEncryptionException("encryption of failed.\n\tRSA-key-wrap-algorithm: " + jweAlgorithm.getName() + "\n\tcontent-encryption-algorithm: " + contentEncryptionAlgorithm.name() + "\n\tcontent: " + str, e2);
        }
    }

    public JSONObject verifyRsaSignature(String str) throws JoseSecurityFailureException, JoseInvalidKeyException, JoseSignatureException {
        if (log.isTraceEnabled()) {
            log.trace("verifying RSA signature of JWS-token {JWS-token: '{}', encryptionKeyType: '{}'}", str, this.encryptionKey.getClass().getSimpleName());
        }
        try {
            JWSObject parse = JWSObject.parse(str);
            if (!isValidRsaSignatureAlgorithm(parse.getHeader())) {
                throw new JoseSecurityFailureException("the given signature algorithm in the header is unknown or incompatible to the chosen operation 'RSA signature verification'!\nalg:\"" + parse.getHeader().getAlgorithm().getName() + "\"");
            }
            if (!RSAPublicKey.class.isInstance(this.signatureVerificationKey)) {
                throw new JoseInvalidKeyException("RSA signature cannot be verified for the signature verification key is no public RSA key.\n\tkey-length of signature verification key: " + (this.signingKey.getEncoded().length * 8));
            }
            verifySignature(new RSASSAVerifier((RSAPublicKey) this.signatureVerificationKey), parse);
            return new JSONObject(parse.getPayload().toJSONObject());
        } catch (ParseException e) {
            throw new JwtParseException("could", e);
        }
    }

    public String decryptWithRSA(String str) {
        if (log.isTraceEnabled()) {
            log.trace("decrypting JWE-token with RSA key {JWE-token: '{}', encryptionKeyType: '{}'}", str, this.encryptionKey.getClass().getSimpleName());
        }
        try {
            EncryptedJWT parse = EncryptedJWT.parse(str);
            if (this.decryptionKey == null) {
                throw new NullPointerException("decryption key must not be null!");
            }
            if (!RSAPrivateKey.class.isInstance(this.decryptionKey)) {
                throw new JoseDecryptionException("the decryptionKey is not an instance of RSAPrivateKey. It is: " + this.decryptionKey.getClass());
            }
            try {
                parse.decrypt(new RSADecrypter((RSAPrivateKey) this.decryptionKey));
                return parse.getPayload().toString();
            } catch (JOSEException e) {
                throw new JoseDecryptionException("the decryption of the jweToken has failed.\n\tjweToken: " + str, e);
            }
        } catch (ParseException e2) {
            throw new JwtParseException(e2);
        }
    }

    public String signClaimsSetWithRSA(JWTClaimsSet jWTClaimsSet, SignatureMessageDigestAlgorithm signatureMessageDigestAlgorithm) {
        if (log.isTraceEnabled()) {
            Logger logger = log;
            Object[] objArr = new Object[3];
            objArr[0] = jWTClaimsSet.toString();
            objArr[1] = this.signingKey == null ? null : this.signingKey.getClass().getSimpleName();
            objArr[2] = signatureMessageDigestAlgorithm.getJwsAlgorithm().getName();
            logger.trace("signing JWT claimsSet with RSA {plainData: '{}', signingKeyType: '{}', hash-algorithm: '{}'}", objArr);
        }
        JWSAlgorithm jwsAlgorithm = signatureMessageDigestAlgorithm.getJwsAlgorithm();
        if (PrivateKey.class.isInstance(this.signingKey)) {
            return sign(jWTClaimsSet, new RSASSASigner((PrivateKey) this.signingKey), jwsAlgorithm);
        }
        throw new JoseInvalidKeyException("RSA signature cannot be created for the signing key is no private RSA key.\n\tkey-length of signing key: " + (this.signingKey == null ? 0 : this.signingKey.getEncoded().length * 8));
    }

    public JSONObject verifyHMacSignature(String str) {
        if (log.isTraceEnabled()) {
            log.trace("verifying HMAC signature of JWS-token {JWS-token: '{}', encryptionKeyType: '{}'}", str, this.encryptionKey.getClass().getSimpleName());
        }
        try {
            JWSObject parse = JWSObject.parse(str);
            if (!isValidHMacSignatureAlgorithm(parse.getHeader())) {
                throw new JoseSecurityFailureException("the given signature algorithm in the header is unknown or incompatible to the chosen operation 'HMAC signature verification'!\nalg:\"" + parse.getHeader().getAlgorithm().getName() + "\"");
            }
            try {
                verifySignature(new MACVerifier(this.signatureVerificationKey.getEncoded()), parse);
                return new JSONObject(parse.getPayload().toJSONObject());
            } catch (JOSEException e) {
                throw new JoseInvalidKeyException("key has an invalid length of '" + (this.signatureVerificationKey.getEncoded().length * 8) + "'-Bit. Valid key-lengths are [256, 384, 512]. \nNote that the secret does not need to be an AES-key", e);
            }
        } catch (ParseException e2) {
            throw new JwtParseException(e2);
        }
    }

    private void verifySignature(JWSVerifier jWSVerifier, JWSObject jWSObject) throws JoseSignatureException {
        try {
            if (jWSObject.verify(jWSVerifier)) {
            } else {
                throw new JoseSignatureException("The signature could not be verified!");
            }
        } catch (JOSEException e) {
            throw new JoseSignatureException("For some unexpected reason the signature could not validated.\nJWS-Token: " + jWSObject.serialize(), e);
        }
    }

    public boolean verifySignature(String str) {
        try {
            JWT parse = JWTParser.parse(str);
            if (parse.getParsedParts().length != 3) {
                throw new JoseSignatureException("given string is not a signed JWT (JWS)! '" + str + "'");
            }
            for (SignatureMessageDigestAlgorithm signatureMessageDigestAlgorithm : SignatureMessageDigestAlgorithm.values()) {
                if (signatureMessageDigestAlgorithm.getJwsAlgorithm().getName().equals(parse.getHeader().getAlgorithm().getName())) {
                    try {
                        verifyRsaSignature(str);
                        return true;
                    } catch (JoseSignatureException e) {
                        return false;
                    } catch (Exception e2) {
                        throw new SignatureException("An unexpected error occured", e2);
                    }
                }
            }
            verifyHMacSignature(str);
            return true;
        } catch (ParseException e3) {
            throw new JoseSignatureException("given string is not a valid JWT! '" + str + "'");
        }
    }

    private void logKeyLengths() {
        if (log.isTraceEnabled()) {
            log.trace("decryption key length: '{}'-Bit", this.decryptionKey != null ? Integer.valueOf(this.decryptionKey.getEncoded().length * 8) : null);
            log.trace("signing key length: '{}'-Bit", this.signingKey != null ? Integer.valueOf(this.signingKey.getEncoded().length * 8) : null);
            log.trace("encryption key length: '{}'-Bit", this.encryptionKey != null ? Integer.valueOf(this.encryptionKey.getEncoded().length * 8) : null);
            log.trace("signature verification key length: '{}'-Bit", this.signatureVerificationKey != null ? Integer.valueOf(this.signatureVerificationKey.getEncoded().length * 8) : null);
        }
    }

    public Key getEncryptionKey() {
        return this.encryptionKey;
    }

    public Key getDecryptionKey() {
        return this.decryptionKey;
    }

    public Key getSigningKey() {
        return this.signingKey;
    }

    public Key getSignatureVerificationKey() {
        return this.signatureVerificationKey;
    }
}
