package org.lightningj.paywall.tokengenerator;

import java.io.IOException;
import java.security.PublicKey;
import java.security.interfaces.ECPublicKey;
import java.security.interfaces.RSAPublicKey;
import java.util.Map;
import java.util.concurrent.ConcurrentHashMap;
import org.jose4j.jwa.AlgorithmConstraints;
import org.jose4j.jwe.JsonWebEncryption;
import org.jose4j.jwk.EllipticCurveJsonWebKey;
import org.jose4j.jwk.JsonWebKey;
import org.jose4j.jwk.JsonWebKeySet;
import org.jose4j.jwk.RsaJsonWebKey;
import org.jose4j.jwk.VerificationJwkSelector;
import org.jose4j.jws.JsonWebSignature;
import org.jose4j.lang.JoseException;
import org.lightningj.paywall.InternalErrorException;
import org.lightningj.paywall.keymgmt.AsymmetricKeyManager;
import org.lightningj.paywall.keymgmt.Context;
import org.lightningj.paywall.keymgmt.KeySerializationHelper;
import org.lightningj.paywall.tokengenerator.TokenException;

/* loaded from: input_file:org/lightningj/paywall/tokengenerator/AsymmetricKeyTokenGenerator.class */
public class AsymmetricKeyTokenGenerator extends BaseTokenGenerator {
    AsymmetricKeyManager keyManager;
    RecipientRepository recipientRepository;
    private static final long CACHE_TIME = 300000;
    long cacheExpireDate = 0;
    Map<TokenContext, JsonWebKeySet> trustedSigningPublicKeys = null;

    public AsymmetricKeyTokenGenerator(AsymmetricKeyManager asymmetricKeyManager, RecipientRepository recipientRepository) {
        this.keyManager = asymmetricKeyManager;
        this.recipientRepository = recipientRepository;
    }

    @Override // org.lightningj.paywall.tokengenerator.BaseTokenGenerator
    protected void populateJWSSignatureAlgAndKey(TokenContext tokenContext, JsonWebSignature jsonWebSignature) throws IOException, InternalErrorException {
        jsonWebSignature.setAlgorithmHeaderValue("RS256");
        jsonWebSignature.setKeyIdHeaderValue(KeySerializationHelper.genKeyId(this.keyManager.getPublicKey(tokenContext).getEncoded()));
        jsonWebSignature.setKey(this.keyManager.getPrivateKey(tokenContext));
    }

    @Override // org.lightningj.paywall.tokengenerator.BaseTokenGenerator
    protected void populateJWSVerifyAlgAndKey(TokenContext tokenContext, JsonWebSignature jsonWebSignature) throws TokenException, JoseException, IOException, InternalErrorException {
        jsonWebSignature.setAlgorithmConstraints(new AlgorithmConstraints(AlgorithmConstraints.ConstraintType.WHITELIST, new String[]{"RS256", "RS384", "RS512", "PS256", "PS384", "PS512", "ES256", "ES384", "ES512"}));
        JsonWebKey select = new VerificationJwkSelector().select(jsonWebSignature, getTrustedKeysAsJWTKeys(tokenContext).getJsonWebKeys());
        if (select == null) {
            throw new TokenException("Error verifying token signature, signature key is not trusted.", TokenException.Reason.INVALID);
        }
        jsonWebSignature.setKey(select.getKey());
    }

    @Override // org.lightningj.paywall.tokengenerator.TokenGenerator
    public String getIssuerName(String str) throws InternalErrorException {
        return KeySerializationHelper.genKeyId(this.keyManager.getPublicKey(new TokenContext(str, Context.KeyUsage.SIGN)).getEncoded());
    }

    JsonWebKeySet getTrustedKeysAsJWTKeys(TokenContext tokenContext) throws InternalErrorException {
        if (hasCacheExpired()) {
            rebuildCache();
        }
        return this.trustedSigningPublicKeys.get(tokenContext);
    }

    @Override // org.lightningj.paywall.tokengenerator.BaseTokenGenerator
    protected void populateJWEEncryptionAlgAndKey(TokenContext tokenContext, String str, JsonWebEncryption jsonWebEncryption) throws TokenException, IOException, InternalErrorException {
        JsonWebKey findRecipientKey = this.recipientRepository.findRecipientKey(tokenContext, str);
        jsonWebEncryption.setKey(findRecipientKey.getKey());
        jsonWebEncryption.setAlgorithmHeaderValue("RSA-OAEP");
        jsonWebEncryption.setKeyIdHeaderValue(findRecipientKey.getKeyId());
        jsonWebEncryption.setEncryptionMethodHeaderParameter("A256CBC-HS512");
    }

    @Override // org.lightningj.paywall.tokengenerator.BaseTokenGenerator
    protected void populateJWEDecryptionAlgAndKey(TokenContext tokenContext, JsonWebEncryption jsonWebEncryption) throws IOException, InternalErrorException {
        jsonWebEncryption.setAlgorithmConstraints(new AlgorithmConstraints(AlgorithmConstraints.ConstraintType.WHITELIST, new String[]{"RSA-OAEP"}));
        jsonWebEncryption.setContentEncryptionAlgorithmConstraints(new AlgorithmConstraints(AlgorithmConstraints.ConstraintType.WHITELIST, new String[]{"A256CBC-HS512"}));
        jsonWebEncryption.setKey(this.keyManager.getPrivateKey(tokenContext));
    }

    public synchronized void rebuildCache() throws InternalErrorException {
        this.trustedSigningPublicKeys = new ConcurrentHashMap();
        populateJsonWebKeySet(new TokenContext(TokenContext.CONTEXT_INVOICE_TOKEN_TYPE, Context.KeyUsage.SIGN), this.trustedSigningPublicKeys, this.keyManager.getTrustedKeys(new TokenContext(TokenContext.CONTEXT_INVOICE_TOKEN_TYPE, Context.KeyUsage.SIGN)));
        populateJsonWebKeySet(new TokenContext(TokenContext.CONTEXT_PAYMENT_TOKEN_TYPE, Context.KeyUsage.SIGN), this.trustedSigningPublicKeys, this.keyManager.getTrustedKeys(new TokenContext(TokenContext.CONTEXT_PAYMENT_TOKEN_TYPE, Context.KeyUsage.SIGN)));
        populateJsonWebKeySet(new TokenContext(TokenContext.CONTEXT_SETTLEMENT_TOKEN_TYPE, Context.KeyUsage.SIGN), this.trustedSigningPublicKeys, this.keyManager.getTrustedKeys(new TokenContext(TokenContext.CONTEXT_SETTLEMENT_TOKEN_TYPE, Context.KeyUsage.SIGN)));
        this.cacheExpireDate = this.clock.millis() + 300000;
    }

    private void populateJsonWebKeySet(TokenContext tokenContext, Map<TokenContext, JsonWebKeySet> map, Map<String, PublicKey> map2) throws InternalErrorException {
        RsaJsonWebKey ellipticCurveJsonWebKey;
        JsonWebKeySet jsonWebKeySet = new JsonWebKeySet(new JsonWebKey[0]);
        for (String str : map2.keySet()) {
            PublicKey publicKey = map2.get(str);
            if (publicKey instanceof RSAPublicKey) {
                ellipticCurveJsonWebKey = new RsaJsonWebKey((RSAPublicKey) publicKey);
            } else {
                if (!(publicKey instanceof ECPublicKey)) {
                    throw new InternalErrorException("problem creating JSON Web Key set. Invalid asymmetric key type: " + publicKey.getClass().getSimpleName());
                }
                ellipticCurveJsonWebKey = new EllipticCurveJsonWebKey((ECPublicKey) publicKey);
            }
            RsaJsonWebKey rsaJsonWebKey = ellipticCurveJsonWebKey;
            rsaJsonWebKey.setKeyId(str);
            jsonWebKeySet.addJsonWebKey(rsaJsonWebKey);
        }
        map.put(tokenContext, jsonWebKeySet);
    }

    private boolean hasCacheExpired() {
        return this.trustedSigningPublicKeys == null || this.cacheExpireDate < this.clock.millis();
    }
}
