package de.openknowledge.authentication.domain.token;

import java.nio.charset.StandardCharsets;
import java.security.KeyPair;
import java.security.PrivateKey;
import java.security.PublicKey;
import javax.annotation.PostConstruct;
import javax.crypto.spec.SecretKeySpec;
import javax.enterprise.context.ApplicationScoped;
import javax.inject.Inject;
import javax.json.bind.JsonbBuilder;
import org.keycloak.jose.jwe.JWE;
import org.keycloak.jose.jwe.JWEException;
import org.keycloak.jose.jwe.JWEHeader;
import org.keycloak.jose.jwe.JWEKeyStorage;
import org.keycloak.jose.jwe.alg.JWEAlgorithmProvider;
import org.keycloak.jose.jwe.alg.RsaKeyEncryptionJWEAlgorithmProvider;
import org.keycloak.jose.jwe.enc.AesCbcHmacShaEncryptionProvider;
import org.keycloak.jose.jwe.enc.JWEEncryptionProvider;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@ApplicationScoped
/* loaded from: input_file:de/openknowledge/authentication/domain/token/KeycloakTokenService.class */
public class KeycloakTokenService {
    private static final Logger LOG = LoggerFactory.getLogger(KeycloakTokenService.class);
    private KeycloakKeyConfiguration keyConfiguration;
    private KeyPair keyPair;
    private TokenSecret tokenSecret;

    protected KeycloakTokenService() {
    }

    @Inject
    public KeycloakTokenService(KeycloakKeyConfiguration keycloakKeyConfiguration) {
        this.keyConfiguration = keycloakKeyConfiguration;
    }

    @PostConstruct
    public void init() {
        LOG.debug("check configuration");
        this.keyConfiguration.validate();
        this.keyPair = KeycloakKeyService.readKeyPair(this.keyConfiguration);
        this.tokenSecret = TokenSecret.fromValue(this.keyConfiguration.getTokenSecret());
    }

    public VerificationLink encode(Token token) {
        try {
            String json = JsonbBuilder.create().toJson(token);
            LOG.debug("payload: {}", json);
            JWE jwtEncode = jwtEncode(this.tokenSecret, this.keyPair.getPublic());
            jwtEncode.content(json.getBytes(StandardCharsets.UTF_8));
            String encodeJwe = jwtEncode.encodeJwe(getAlgorithmProvider(), getEncryptionProvider());
            LOG.debug("encoded payload: {}", encodeJwe);
            return VerificationLink.fromValue(encodeJwe);
        } catch (JWEException e) {
            LOG.error("problem during encode JWT: {}", e.getMessage(), e);
            throw new IllegalArgumentException("problem during encode" + e.getMessage(), e);
        }
    }

    public Token decode(VerificationLink verificationLink) {
        try {
            LOG.debug("payload: {}", verificationLink.getValue());
            JWE jwtDecoder = jwtDecoder(this.tokenSecret, this.keyPair.getPrivate());
            jwtDecoder.verifyAndDecodeJwe(verificationLink.getValue(), getAlgorithmProvider(), getEncryptionProvider());
            String str = new String(jwtDecoder.getContent(), StandardCharsets.UTF_8);
            LOG.debug("decoded payload: {}", str);
            return (Token) JsonbBuilder.create().fromJson(str, Token.class);
        } catch (JWEException e) {
            LOG.error("problem during decode JWT: {}", e.getMessage(), e);
            throw new IllegalArgumentException("problem during decode" + e.getMessage(), e);
        }
    }

    private JWE jwtEncode(TokenSecret tokenSecret, PublicKey publicKey) {
        JWEHeader jWEHeader = new JWEHeader("A256CBC-HS512", "A256CBC-HS512", (String) null);
        JWE jwe = new JWE();
        jwe.header(jWEHeader);
        jwe.getKeyStorage().setEncryptionKey(publicKey);
        enrichKeyStorage(jwe, tokenSecret);
        return jwe;
    }

    private JWE jwtDecoder(TokenSecret tokenSecret, PrivateKey privateKey) {
        JWE jwe = new JWE();
        jwe.getKeyStorage().setDecryptionKey(privateKey);
        enrichKeyStorage(jwe, tokenSecret);
        return jwe;
    }

    private void enrichKeyStorage(JWE jwe, TokenSecret tokenSecret) {
        SecretKeySpec secretKeySpec = new SecretKeySpec(tokenSecret.asByteArray(), "AES");
        SecretKeySpec secretKeySpec2 = new SecretKeySpec(tokenSecret.asByteArray(), "HMACSHA2");
        jwe.getKeyStorage().setCEKKey(secretKeySpec, JWEKeyStorage.KeyUse.ENCRYPTION);
        jwe.getKeyStorage().setCEKKey(secretKeySpec2, JWEKeyStorage.KeyUse.SIGNATURE);
    }

    private JWEAlgorithmProvider getAlgorithmProvider() {
        return new RsaKeyEncryptionJWEAlgorithmProvider("RSA/ECB/OAEPWithSHA-1AndMGF1Padding");
    }

    private JWEEncryptionProvider getEncryptionProvider() {
        return new AesCbcHmacShaEncryptionProvider.Aes256CbcHmacSha512Provider();
    }
}
