package org.keycloak.jose.jws;

import java.io.UnsupportedEncodingException;
import org.jboss.logging.Logger;
import org.keycloak.OAuth2Constants;
import org.keycloak.Token;
import org.keycloak.TokenCategory;
import org.keycloak.crypto.CekManagementProvider;
import org.keycloak.crypto.ClientSignatureVerifierProvider;
import org.keycloak.crypto.ContentEncryptionProvider;
import org.keycloak.crypto.KeyUse;
import org.keycloak.crypto.KeyWrapper;
import org.keycloak.crypto.SignatureProvider;
import org.keycloak.jose.jwe.JWEException;
import org.keycloak.jose.jwe.alg.JWEAlgorithmProvider;
import org.keycloak.jose.jwe.enc.JWEEncryptionProvider;
import org.keycloak.jose.jwk.JWK;
import org.keycloak.keys.loader.PublicKeyStorageManager;
import org.keycloak.models.ClientModel;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.RealmModel;
import org.keycloak.models.TokenManager;
import org.keycloak.protocol.oidc.OIDCConfigAttributes;
import org.keycloak.util.TokenUtil;

/* loaded from: input_file:BOOT-INF/lib/keycloak-services-8.0.0.jar:org/keycloak/jose/jws/DefaultTokenManager.class */
public class DefaultTokenManager implements TokenManager {
    private static final Logger logger = Logger.getLogger((Class<?>) DefaultTokenManager.class);
    private static String DEFAULT_ALGORITHM_NAME = "RS256";
    private final KeycloakSession session;

    public DefaultTokenManager(KeycloakSession keycloakSession) {
        this.session = keycloakSession;
    }

    @Override // org.keycloak.models.TokenManager
    public String encode(Token token) {
        return new JWSBuilder().type(OAuth2Constants.JWT).jsonContent(token).sign(((SignatureProvider) this.session.getProvider(SignatureProvider.class, signatureAlgorithm(token.getCategory()))).signer());
    }

    @Override // org.keycloak.models.TokenManager
    public <T extends Token> T decode(String str, Class<T> cls) {
        if (str == null) {
            return null;
        }
        try {
            JWSInput jWSInput = new JWSInput(str);
            String name = jWSInput.getHeader().getAlgorithm().name();
            SignatureProvider signatureProvider = (SignatureProvider) this.session.getProvider(SignatureProvider.class, name);
            if (signatureProvider == null) {
                return null;
            }
            String keyId = jWSInput.getHeader().getKeyId();
            if (keyId == null) {
                logger.debugf("KID is null in token. Using the realm active key to verify token signature.", new Object[0]);
                keyId = this.session.keys().getActiveKey(this.session.getContext().getRealm(), KeyUse.SIG, name).getKid();
            }
            if (signatureProvider.verifier(keyId).verify(jWSInput.getEncodedSignatureInput().getBytes("UTF-8"), jWSInput.getSignature())) {
                return (T) jWSInput.readJsonContent(cls);
            }
            return null;
        } catch (Exception e) {
            logger.debug("Failed to decode token", e);
            return null;
        }
    }

    @Override // org.keycloak.models.TokenManager
    public <T> T decodeClientJWT(String str, ClientModel clientModel, Class<T> cls) {
        if (str == null) {
            return null;
        }
        try {
            JWSInput jWSInput = new JWSInput(str);
            ClientSignatureVerifierProvider clientSignatureVerifierProvider = (ClientSignatureVerifierProvider) this.session.getProvider(ClientSignatureVerifierProvider.class, jWSInput.getHeader().getAlgorithm().name());
            if (clientSignatureVerifierProvider != null && clientSignatureVerifierProvider.verifier(clientModel, jWSInput).verify(jWSInput.getEncodedSignatureInput().getBytes("UTF-8"), jWSInput.getSignature())) {
                return (T) jWSInput.readJsonContent(cls);
            }
            return null;
        } catch (Exception e) {
            logger.debug("Failed to decode token", e);
            return null;
        }
    }

    @Override // org.keycloak.models.TokenManager
    public String signatureAlgorithm(TokenCategory tokenCategory) {
        switch (tokenCategory) {
            case INTERNAL:
                return "HS256";
            case ADMIN:
                return getSignatureAlgorithm(null);
            case ACCESS:
                return getSignatureAlgorithm(OIDCConfigAttributes.ACCESS_TOKEN_SIGNED_RESPONSE_ALG);
            case ID:
                return getSignatureAlgorithm(OIDCConfigAttributes.ID_TOKEN_SIGNED_RESPONSE_ALG);
            case USERINFO:
                return getSignatureAlgorithm(OIDCConfigAttributes.USER_INFO_RESPONSE_SIGNATURE_ALG);
            default:
                throw new RuntimeException("Unknown token type");
        }
    }

    private String getSignatureAlgorithm(String str) {
        RealmModel realm = this.session.getContext().getRealm();
        ClientModel client = this.session.getContext().getClient();
        String attribute = (client == null || str == null) ? null : client.getAttribute(str);
        if (attribute != null && !attribute.equals("")) {
            return attribute;
        }
        String defaultSignatureAlgorithm = realm.getDefaultSignatureAlgorithm();
        return (defaultSignatureAlgorithm == null || defaultSignatureAlgorithm.equals("")) ? DEFAULT_ALGORITHM_NAME : defaultSignatureAlgorithm;
    }

    @Override // org.keycloak.models.TokenManager
    public String encodeAndEncrypt(Token token) {
        String encode = encode(token);
        if (isTokenEncryptRequired(token.getCategory())) {
            encode = getEncryptedToken(token.getCategory(), encode);
        }
        return encode;
    }

    private boolean isTokenEncryptRequired(TokenCategory tokenCategory) {
        return (cekManagementAlgorithm(tokenCategory) == null || encryptAlgorithm(tokenCategory) == null) ? false : true;
    }

    private String getEncryptedToken(TokenCategory tokenCategory, String str) {
        String cekManagementAlgorithm = cekManagementAlgorithm(tokenCategory);
        String encryptAlgorithm = encryptAlgorithm(tokenCategory);
        JWEAlgorithmProvider jweAlgorithmProvider = ((CekManagementProvider) this.session.getProvider(CekManagementProvider.class, cekManagementAlgorithm)).jweAlgorithmProvider();
        JWEEncryptionProvider jweEncryptionProvider = ((ContentEncryptionProvider) this.session.getProvider(ContentEncryptionProvider.class, encryptAlgorithm)).jweEncryptionProvider();
        KeyWrapper clientPublicKeyWrapper = PublicKeyStorageManager.getClientPublicKeyWrapper(this.session, this.session.getContext().getClient(), JWK.Use.ENCRYPTION, cekManagementAlgorithm);
        if (clientPublicKeyWrapper == null) {
            throw new RuntimeException("can not get encryption KEK");
        }
        try {
            return TokenUtil.jweKeyEncryptionEncode(clientPublicKeyWrapper.getPublicKey(), str.getBytes("UTF-8"), cekManagementAlgorithm, encryptAlgorithm, clientPublicKeyWrapper.getKid(), jweAlgorithmProvider, jweEncryptionProvider);
        } catch (UnsupportedEncodingException | JWEException e) {
            throw new RuntimeException(e);
        }
    }

    @Override // org.keycloak.models.TokenManager
    public String cekManagementAlgorithm(TokenCategory tokenCategory) {
        if (tokenCategory == null) {
            return null;
        }
        switch (tokenCategory) {
            case ID:
                return getCekManagementAlgorithm(OIDCConfigAttributes.ID_TOKEN_ENCRYPTED_RESPONSE_ALG);
            default:
                return null;
        }
    }

    private String getCekManagementAlgorithm(String str) {
        ClientModel client = this.session.getContext().getClient();
        String attribute = (client == null || str == null) ? null : client.getAttribute(str);
        if (attribute == null || attribute.equals("")) {
            return null;
        }
        return attribute;
    }

    @Override // org.keycloak.models.TokenManager
    public String encryptAlgorithm(TokenCategory tokenCategory) {
        if (tokenCategory == null) {
            return null;
        }
        switch (tokenCategory) {
            case ID:
                return getEncryptAlgorithm(OIDCConfigAttributes.ID_TOKEN_ENCRYPTED_RESPONSE_ENC);
            default:
                return null;
        }
    }

    private String getEncryptAlgorithm(String str) {
        ClientModel client = this.session.getContext().getClient();
        String attribute = (client == null || str == null) ? null : client.getAttribute(str);
        if (attribute == null || attribute.equals("")) {
            return null;
        }
        return attribute;
    }
}
