package org.springframework.security.oauth2.jose.jws;

import com.nimbusds.jose.JOSEException;
import com.nimbusds.jose.JOSEObjectType;
import com.nimbusds.jose.JWSAlgorithm;
import com.nimbusds.jose.JWSHeader;
import com.nimbusds.jose.KeyLengthException;
import com.nimbusds.jose.crypto.MACSigner;
import com.nimbusds.jose.crypto.RSASSASigner;
import com.nimbusds.jose.jwk.JWK;
import com.nimbusds.jose.util.Base64;
import com.nimbusds.jose.util.Base64URL;
import com.nimbusds.jwt.JWTClaimsSet;
import com.nimbusds.jwt.SignedJWT;
import java.net.URI;
import java.net.URL;
import java.security.PrivateKey;
import java.time.Instant;
import java.util.Date;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.UUID;
import java.util.stream.Collectors;
import javax.crypto.SecretKey;
import net.minidev.json.JSONObject;
import org.springframework.core.convert.converter.Converter;
import org.springframework.security.crypto.keys.KeyManager;
import org.springframework.security.crypto.keys.ManagedKey;
import org.springframework.security.oauth2.jose.JoseHeader;
import org.springframework.security.oauth2.jwt.Jwt;
import org.springframework.security.oauth2.jwt.JwtClaimsSet;
import org.springframework.security.oauth2.jwt.JwtEncoder;
import org.springframework.security.oauth2.jwt.JwtEncodingException;
import org.springframework.util.Assert;
import org.springframework.util.CollectionUtils;
import org.springframework.util.StringUtils;

/* loaded from: input_file:org/springframework/security/oauth2/jose/jws/NimbusJwsEncoder.class */
public final class NimbusJwsEncoder implements JwtEncoder {
    private static final String ENCODING_ERROR_MESSAGE_TEMPLATE = "An error occurred while attempting to encode the Jwt: %s";
    private static final String RSA_KEY_TYPE = "RSA";
    private static final String EC_KEY_TYPE = "EC";
    private static final Map<JwsAlgorithm, String> jcaKeyAlgorithmMappings = new HashMap<JwsAlgorithm, String>() { // from class: org.springframework.security.oauth2.jose.jws.NimbusJwsEncoder.1
        {
            put(MacAlgorithm.HS256, "HmacSHA256");
            put(MacAlgorithm.HS384, "HmacSHA384");
            put(MacAlgorithm.HS512, "HmacSHA512");
            put(SignatureAlgorithm.RS256, NimbusJwsEncoder.RSA_KEY_TYPE);
            put(SignatureAlgorithm.RS384, NimbusJwsEncoder.RSA_KEY_TYPE);
            put(SignatureAlgorithm.RS512, NimbusJwsEncoder.RSA_KEY_TYPE);
            put(SignatureAlgorithm.ES256, NimbusJwsEncoder.EC_KEY_TYPE);
            put(SignatureAlgorithm.ES384, NimbusJwsEncoder.EC_KEY_TYPE);
            put(SignatureAlgorithm.ES512, NimbusJwsEncoder.EC_KEY_TYPE);
        }
    };
    private static final Converter<JoseHeader, JWSHeader> jwsHeaderConverter = new JwsHeaderConverter();
    private static final Converter<JwtClaimsSet, JWTClaimsSet> jwtClaimsSetConverter = new JwtClaimsSetConverter();
    private final KeyManager keyManager;

    /* loaded from: input_file:org/springframework/security/oauth2/jose/jws/NimbusJwsEncoder$JwsHeaderConverter.class */
    private static class JwsHeaderConverter implements Converter<JoseHeader, JWSHeader> {
        private JwsHeaderConverter() {
        }

        public JWSHeader convert(JoseHeader joseHeader) {
            JWSHeader.Builder builder = new JWSHeader.Builder(JWSAlgorithm.parse(joseHeader.getJwsAlgorithm().getName()));
            Set<String> critical = joseHeader.getCritical();
            if (!CollectionUtils.isEmpty(critical)) {
                builder.criticalParams(critical);
            }
            String contentType = joseHeader.getContentType();
            if (StringUtils.hasText(contentType)) {
                builder.contentType(contentType);
            }
            String jwkSetUri = joseHeader.getJwkSetUri();
            if (StringUtils.hasText(jwkSetUri)) {
                try {
                    builder.jwkURL(new URI(jwkSetUri));
                } catch (Exception e) {
                    throw new JwtEncodingException(String.format(NimbusJwsEncoder.ENCODING_ERROR_MESSAGE_TEMPLATE, "Failed to convert 'jku' JOSE header"), e);
                }
            }
            Map<String, Object> jwk = joseHeader.getJwk();
            if (!CollectionUtils.isEmpty(jwk)) {
                try {
                    builder.jwk(JWK.parse(new JSONObject(jwk)));
                } catch (Exception e2) {
                    throw new JwtEncodingException(String.format(NimbusJwsEncoder.ENCODING_ERROR_MESSAGE_TEMPLATE, "Failed to convert 'jwk' JOSE header"), e2);
                }
            }
            String keyId = joseHeader.getKeyId();
            if (StringUtils.hasText(keyId)) {
                builder.keyID(keyId);
            }
            String type = joseHeader.getType();
            if (StringUtils.hasText(type)) {
                builder.type(new JOSEObjectType(type));
            }
            List<String> x509CertificateChain = joseHeader.getX509CertificateChain();
            if (!CollectionUtils.isEmpty(x509CertificateChain)) {
                builder.x509CertChain((List) x509CertificateChain.stream().map(Base64::new).collect(Collectors.toList()));
            }
            String x509SHA1Thumbprint = joseHeader.getX509SHA1Thumbprint();
            if (StringUtils.hasText(x509SHA1Thumbprint)) {
                builder.x509CertThumbprint(new Base64URL(x509SHA1Thumbprint));
            }
            String x509SHA256Thumbprint = joseHeader.getX509SHA256Thumbprint();
            if (StringUtils.hasText(x509SHA256Thumbprint)) {
                builder.x509CertSHA256Thumbprint(new Base64URL(x509SHA256Thumbprint));
            }
            String x509Uri = joseHeader.getX509Uri();
            if (StringUtils.hasText(x509Uri)) {
                try {
                    builder.x509CertURL(new URI(x509Uri));
                } catch (Exception e3) {
                    throw new JwtEncodingException(String.format(NimbusJwsEncoder.ENCODING_ERROR_MESSAGE_TEMPLATE, "Failed to convert 'x5u' JOSE header"), e3);
                }
            }
            Map map = (Map) joseHeader.getHeaders().entrySet().stream().filter(entry -> {
                return !JWSHeader.getRegisteredParameterNames().contains(entry.getKey());
            }).collect(Collectors.toMap((v0) -> {
                return v0.getKey();
            }, (v0) -> {
                return v0.getValue();
            }));
            if (!CollectionUtils.isEmpty(map)) {
                builder.customParams(map);
            }
            return builder.build();
        }
    }

    /* loaded from: input_file:org/springframework/security/oauth2/jose/jws/NimbusJwsEncoder$JwtClaimsSetConverter.class */
    private static class JwtClaimsSetConverter implements Converter<JwtClaimsSet, JWTClaimsSet> {
        private JwtClaimsSetConverter() {
        }

        public JWTClaimsSet convert(JwtClaimsSet jwtClaimsSet) {
            JWTClaimsSet.Builder builder = new JWTClaimsSet.Builder();
            URL issuer = jwtClaimsSet.getIssuer();
            if (issuer != null) {
                builder.issuer(issuer.toExternalForm());
            }
            String subject = jwtClaimsSet.getSubject();
            if (StringUtils.hasText(subject)) {
                builder.subject(subject);
            }
            List audience = jwtClaimsSet.getAudience();
            if (!CollectionUtils.isEmpty(audience)) {
                builder.audience(audience);
            }
            Instant issuedAt = jwtClaimsSet.getIssuedAt();
            if (issuedAt != null) {
                builder.issueTime(Date.from(issuedAt));
            }
            Instant expiresAt = jwtClaimsSet.getExpiresAt();
            if (expiresAt != null) {
                builder.expirationTime(Date.from(expiresAt));
            }
            Instant notBefore = jwtClaimsSet.getNotBefore();
            if (notBefore != null) {
                builder.notBeforeTime(Date.from(notBefore));
            }
            String id = jwtClaimsSet.getId();
            if (StringUtils.hasText(id)) {
                builder.jwtID(id);
            }
            Map map = (Map) jwtClaimsSet.getClaims().entrySet().stream().filter(entry -> {
                return !JWTClaimsSet.getRegisteredNames().contains(entry.getKey());
            }).collect(Collectors.toMap((v0) -> {
                return v0.getKey();
            }, (v0) -> {
                return v0.getValue();
            }));
            if (!CollectionUtils.isEmpty(map)) {
                builder.getClass();
                map.forEach(builder::claim);
            }
            return builder.build();
        }
    }

    public NimbusJwsEncoder(KeyManager keyManager) {
        Assert.notNull(keyManager, "keyManager cannot be null");
        this.keyManager = keyManager;
    }

    @Override // org.springframework.security.oauth2.jwt.JwtEncoder
    public Jwt encode(JoseHeader joseHeader, JwtClaimsSet jwtClaimsSet) throws JwtEncodingException {
        RSASSASigner mACSigner;
        Assert.notNull(joseHeader, "headers cannot be null");
        Assert.notNull(jwtClaimsSet, "claims cannot be null");
        ManagedKey selectKey = selectKey(joseHeader);
        if (selectKey == null) {
            throw new JwtEncodingException(String.format(ENCODING_ERROR_MESSAGE_TEMPLATE, "Unsupported key for algorithm '" + joseHeader.getJwsAlgorithm().getName() + "'"));
        }
        if (!selectKey.isAsymmetric()) {
            try {
                mACSigner = new MACSigner((SecretKey) selectKey.getKey());
            } catch (KeyLengthException e) {
                throw new JwtEncodingException(String.format(ENCODING_ERROR_MESSAGE_TEMPLATE, e.getMessage()), e);
            }
        } else {
            if (!selectKey.getAlgorithm().equals(RSA_KEY_TYPE)) {
                throw new JwtEncodingException(String.format(ENCODING_ERROR_MESSAGE_TEMPLATE, "Unsupported key type '" + selectKey.getAlgorithm() + "'"));
            }
            mACSigner = new RSASSASigner((PrivateKey) selectKey.getKey());
        }
        JoseHeader build = JoseHeader.from(joseHeader).type(JOSEObjectType.JWT.getType()).keyId(selectKey.getKeyId()).build();
        JWSHeader jWSHeader = (JWSHeader) jwsHeaderConverter.convert(build);
        JwtClaimsSet build2 = JwtClaimsSet.from(jwtClaimsSet).id(UUID.randomUUID().toString()).build();
        SignedJWT signedJWT = new SignedJWT(jWSHeader, (JWTClaimsSet) jwtClaimsSetConverter.convert(build2));
        try {
            signedJWT.sign(mACSigner);
            return new Jwt(signedJWT.serialize(), build2.getIssuedAt(), build2.getExpiresAt(), build.getHeaders(), build2.getClaims());
        } catch (JOSEException e2) {
            throw new JwtEncodingException(String.format(ENCODING_ERROR_MESSAGE_TEMPLATE, e2.getMessage()), e2);
        }
    }

    private ManagedKey selectKey(JoseHeader joseHeader) {
        String str = jcaKeyAlgorithmMappings.get(joseHeader.getJwsAlgorithm());
        if (!StringUtils.hasText(str)) {
            return null;
        }
        Set<ManagedKey> findByAlgorithm = this.keyManager.findByAlgorithm(str);
        if (CollectionUtils.isEmpty(findByAlgorithm)) {
            return null;
        }
        return findByAlgorithm.stream().filter((v0) -> {
            return v0.isActive();
        }).max(this::mostRecentActivated).orElse(null);
    }

    private int mostRecentActivated(ManagedKey managedKey, ManagedKey managedKey2) {
        return managedKey.getActivatedOn().isAfter(managedKey2.getActivatedOn()) ? 1 : -1;
    }
}
