package org.lightningj.paywall.tokengenerator;

import java.io.IOException;
import java.security.SecureRandom;
import java.time.Clock;
import java.time.Instant;
import org.jose4j.json.JsonUtil;
import org.jose4j.jwe.JsonWebEncryption;
import org.jose4j.jws.JsonWebSignature;
import org.jose4j.jwt.JwtClaims;
import org.jose4j.jwt.MalformedClaimException;
import org.jose4j.jwt.NumericDate;
import org.jose4j.jwt.consumer.InvalidJwtException;
import org.jose4j.lang.JoseException;
import org.lightningj.paywall.InternalErrorException;
import org.lightningj.paywall.keymgmt.Context;
import org.lightningj.paywall.tokengenerator.TokenException;
import org.lightningj.paywall.util.DigestUtils;
import org.lightningj.paywall.vo.MinimalInvoice;
import org.lightningj.paywall.vo.Order;
import org.lightningj.paywall.vo.OrderRequest;
import org.lightningj.paywall.vo.PreImageData;
import org.lightningj.paywall.vo.RequestData;
import org.lightningj.paywall.vo.Settlement;

/* loaded from: input_file:org/lightningj/paywall/tokengenerator/BaseTokenGenerator.class */
public abstract class BaseTokenGenerator implements TokenGenerator {
    public static final int PREIMAGE_LENGTH = 32;
    public static final long ALLOWED_CLOCK_SKEW = 300000;
    SecureRandom secureRandom = null;
    Clock clock = Clock.systemDefaultZone();

    @Override // org.lightningj.paywall.tokengenerator.TokenGenerator
    public PreImageData genPreImageData() throws InternalErrorException {
        byte[] bArr = new byte[32];
        getSecureRandom().nextBytes(bArr);
        return new PreImageData(bArr, DigestUtils.sha256(bArr));
    }

    @Override // org.lightningj.paywall.tokengenerator.TokenGenerator
    public String generatePaymentToken(OrderRequest orderRequest, Order order, RequestData requestData, Instant instant, Instant instant2, String str) throws TokenException, IOException, InternalErrorException {
        return generateToken(TokenContext.CONTEXT_PAYMENT_TOKEN_TYPE, instant, instant2, true, str, orderRequest, order, requestData);
    }

    @Override // org.lightningj.paywall.tokengenerator.TokenGenerator
    public String generateInvoiceToken(OrderRequest orderRequest, MinimalInvoice minimalInvoice, RequestData requestData, Instant instant, Instant instant2, String str) throws TokenException, IOException, InternalErrorException {
        return generateToken(TokenContext.CONTEXT_INVOICE_TOKEN_TYPE, instant, instant2, true, str, orderRequest, minimalInvoice, requestData);
    }

    @Override // org.lightningj.paywall.tokengenerator.TokenGenerator
    public String generateSettlementToken(OrderRequest orderRequest, Settlement settlement, RequestData requestData, Instant instant, Instant instant2, String str) throws TokenException, IOException, InternalErrorException {
        return generateToken(TokenContext.CONTEXT_INVOICE_TOKEN_TYPE, instant, instant2, true, str, orderRequest, settlement, requestData);
    }

    @Override // org.lightningj.paywall.tokengenerator.TokenGenerator
    public String generateToken(String str, Instant instant, Instant instant2, boolean z, String str2, JWTClaim... jWTClaimArr) throws TokenException, IOException, InternalErrorException {
        try {
            TokenContext tokenContext = new TokenContext(str, Context.KeyUsage.SIGN);
            JwtClaims jwtClaims = new JwtClaims();
            jwtClaims.setIssuer(getIssuerName(str));
            if (str2 != null) {
                jwtClaims.setSubject(str2);
            }
            jwtClaims.setExpirationTime(NumericDate.fromMilliseconds(instant.toEpochMilli()));
            if (instant2 != null) {
                jwtClaims.setNotBefore(NumericDate.fromMilliseconds(instant2.toEpochMilli()));
            }
            for (JWTClaim jWTClaim : jWTClaimArr) {
                if (jWTClaim != null) {
                    jwtClaims.setClaim(jWTClaim.getClaimName(), JsonUtil.parseJson(jWTClaim.toJsonAsString(false)));
                }
            }
            JsonWebSignature jsonWebSignature = new JsonWebSignature();
            jsonWebSignature.setPayload(jwtClaims.toJson());
            populateJWSSignatureAlgAndKey(tokenContext, jsonWebSignature);
            String compactSerialization = jsonWebSignature.getCompactSerialization();
            if (z) {
                JsonWebEncryption jsonWebEncryption = new JsonWebEncryption();
                jsonWebEncryption.setPlaintext(compactSerialization);
                populateJWEEncryptionAlgAndKey(new TokenContext(str, Context.KeyUsage.ENC), str2, jsonWebEncryption);
                compactSerialization = jsonWebEncryption.getCompactSerialization();
            }
            return compactSerialization;
        } catch (JoseException e) {
            throw new InternalErrorException("Internal error generate JWT token: " + e.getMessage(), e);
        }
    }

    @Override // org.lightningj.paywall.tokengenerator.TokenGenerator
    public JwtClaims parseToken(String str, String str2) throws TokenException, IOException, InternalErrorException {
        if (str2 == null) {
            throw new TokenException("Couldn't verify null JWT token.", TokenException.Reason.NOT_FOUND);
        }
        try {
            if (isEncryptedToken(str2)) {
                str2 = decryptTokenData(new TokenContext(str, Context.KeyUsage.ENC), str2);
            }
            JsonWebSignature jsonWebSignature = new JsonWebSignature();
            jsonWebSignature.setCompactSerialization(str2);
            populateJWSVerifyAlgAndKey(new TokenContext(str, Context.KeyUsage.SIGN), jsonWebSignature);
            if (!jsonWebSignature.verifySignature()) {
                throw new TokenException("Invalid signature for token.", TokenException.Reason.INVALID);
            }
            JwtClaims parse = JwtClaims.parse(jsonWebSignature.getPayload());
            checkExpireDate(parse);
            checkNotBefore(parse);
            return parse;
        } catch (JoseException e) {
            throw new TokenException("Invalid token received when parsing JWS Signature: " + e.getMessage(), e, TokenException.Reason.INVALID);
        } catch (InvalidJwtException e2) {
            throw new TokenException("Invalid token received when parsing JWS Claims: " + e2.getMessage(), e2, TokenException.Reason.INVALID);
        }
    }

    void checkExpireDate(JwtClaims jwtClaims) throws TokenException {
        try {
            NumericDate expirationTime = jwtClaims.getExpirationTime();
            if (expirationTime == null) {
                throw new TokenException("Couldn't verify token, couldn't retrieve expire date from JWT claims.", TokenException.Reason.INVALID);
            }
            if (this.clock.millis() > expirationTime.getValueInMillis() + ALLOWED_CLOCK_SKEW) {
                throw new TokenException("JWT Token have expired.", TokenException.Reason.EXPIRED);
            }
        } catch (MalformedClaimException e) {
            throw new TokenException("Couldn't verify token, couldn't retrieve expire date from JWT claims.", TokenException.Reason.INVALID);
        }
    }

    void checkNotBefore(JwtClaims jwtClaims) throws TokenException {
        try {
            NumericDate notBefore = jwtClaims.getNotBefore();
            if (notBefore == null || this.clock.millis() >= notBefore.getValueInMillis() - ALLOWED_CLOCK_SKEW) {
            } else {
                throw new TokenException("JWT Token not yet valid.", TokenException.Reason.NOT_YET_VALID);
            }
        } catch (MalformedClaimException e) {
            throw new TokenException("Couldn't verify token, couldn't retrieve not before date from JWT claims.", TokenException.Reason.INVALID);
        }
    }

    protected abstract void populateJWSSignatureAlgAndKey(TokenContext tokenContext, JsonWebSignature jsonWebSignature) throws IOException, InternalErrorException;

    protected abstract void populateJWSVerifyAlgAndKey(TokenContext tokenContext, JsonWebSignature jsonWebSignature) throws TokenException, JoseException, IOException, InternalErrorException;

    protected abstract void populateJWEEncryptionAlgAndKey(TokenContext tokenContext, String str, JsonWebEncryption jsonWebEncryption) throws TokenException, IOException, InternalErrorException;

    protected abstract void populateJWEDecryptionAlgAndKey(TokenContext tokenContext, JsonWebEncryption jsonWebEncryption) throws IOException, InternalErrorException;

    protected SecureRandom getSecureRandom() throws InternalErrorException {
        if (this.secureRandom == null) {
            try {
                this.secureRandom = new SecureRandom();
            } catch (Exception e) {
                throw new InternalErrorException("Internal error generating SecureRandom for TokenGenerator, message: " + e.getMessage(), e);
            }
        }
        return this.secureRandom;
    }

    private boolean isEncryptedToken(String str) {
        return str.split("\\.").length == 5;
    }

    private String decryptTokenData(TokenContext tokenContext, String str) throws TokenException, IOException, InternalErrorException {
        try {
            JsonWebEncryption jsonWebEncryption = new JsonWebEncryption();
            jsonWebEncryption.setCompactSerialization(str);
            populateJWEDecryptionAlgAndKey(tokenContext, jsonWebEncryption);
            return jsonWebEncryption.getPlaintextString();
        } catch (Exception e) {
            if (e instanceof IOException) {
                throw ((IOException) e);
            }
            if (e instanceof InternalErrorException) {
                throw ((InternalErrorException) e);
            }
            throw new TokenException("Unable to decrypt token: " + e.getMessage(), e, TokenException.Reason.INVALID);
        }
    }
}
