package be.atbash.ee.security.octopus.jwt.parameter;

import be.atbash.ee.security.octopus.config.JCASupportConfiguration;
import be.atbash.ee.security.octopus.config.JwtSupportConfiguration;
import be.atbash.ee.security.octopus.jwt.JWTEncoding;
import be.atbash.ee.security.octopus.keys.AtbashKey;
import be.atbash.ee.security.octopus.nimbus.jose.HeaderParameterNames;
import be.atbash.ee.security.octopus.nimbus.jose.crypto.PasswordBasedEncrypter;
import be.atbash.ee.security.octopus.nimbus.jose.crypto.impl.PBKDF;
import be.atbash.ee.security.octopus.nimbus.jose.crypto.impl.PRFParams;
import be.atbash.ee.security.octopus.nimbus.jwk.KeyType;
import be.atbash.ee.security.octopus.nimbus.jwt.jwe.JWEAlgorithm;
import be.atbash.ee.security.octopus.nimbus.util.Base64URLValue;
import be.atbash.util.PublicAPI;
import be.atbash.util.exception.AtbashIllegalActionException;
import java.util.HashMap;
import java.util.Map;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@PublicAPI
/* loaded from: input_file:be/atbash/ee/security/octopus/jwt/parameter/JWTParametersBuilder.class */
public final class JWTParametersBuilder {
    private final JWTEncoding encoding;
    private AtbashKey secretKeySigning;
    private AtbashKey secretKeyEncryption;
    private JWTParametersSigning parametersSigning;
    private JWEAlgorithm jweAlgorithm;
    private String kid;
    private char[] password;
    private int iterationCount;
    private final Logger logger = LoggerFactory.getLogger(JWTParametersBuilder.class);
    private final Map<String, Object> headerValues = new HashMap();

    private JWTParametersBuilder(JWTEncoding jWTEncoding) {
        this.encoding = jWTEncoding;
    }

    public JWTParametersBuilder withHeader(String str, String str2) {
        if (this.encoding == JWTEncoding.NONE) {
            this.logger.warn("Header values are not supported with JWTEncoding.NONE");
        }
        this.headerValues.put(str, str2);
        return this;
    }

    public JWTParametersBuilder withHeaderObject(String str, Object obj) {
        if (this.encoding == JWTEncoding.NONE) {
            this.logger.warn("Header values are not supported with JWTEncoding.NONE");
        }
        this.headerValues.put(str, obj);
        return this;
    }

    public JWTParametersBuilder withJSONKeyURL(String str) {
        return withHeader(HeaderParameterNames.JWK_SET_URL, str);
    }

    public JWTParametersBuilder withSecretKeyForSigning(AtbashKey atbashKey) {
        if (this.encoding == JWTEncoding.NONE) {
            this.logger.warn("SecretKey value is not supported with JWTEncoding.NONE");
        }
        this.secretKeySigning = atbashKey;
        return this;
    }

    public JWTParametersBuilder withSecretKeyForEncryption(AtbashKey atbashKey) {
        if (this.encoding != JWTEncoding.JWE) {
            this.logger.warn("SecretKey value for encryption only needed for JWTEncoding.JWE");
        }
        this.secretKeyEncryption = atbashKey;
        return this;
    }

    public JWTParametersBuilder withSecretKeyForEncryption(String str, char[] cArr) {
        return withSecretKeyForEncryption(str, cArr, PasswordBasedEncrypter.MIN_RECOMMENDED_ITERATION_COUNT);
    }

    public JWTParametersBuilder withSecretKeyForEncryption(String str, char[] cArr, int i) {
        if (this.encoding != JWTEncoding.JWE) {
            this.logger.warn("SecretKey value for encryption only needed for JWTEncoding.JWE");
        }
        this.jweAlgorithm = JWEAlgorithm.PBES2_HS512_A256KW;
        this.password = cArr;
        this.iterationCount = i;
        this.kid = str;
        return this;
    }

    public JWTParametersBuilder withSigningParameters(JWTParametersSigning jWTParametersSigning) {
        this.parametersSigning = jWTParametersSigning;
        return this;
    }

    public JWTParametersBuilder withJWEAlgorithm(JWEAlgorithm jWEAlgorithm) {
        this.jweAlgorithm = jWEAlgorithm;
        return this;
    }

    public JWTParameters build() {
        JWTParameters jWTParametersEncryption;
        if (this.encoding == JWTEncoding.JWE && this.password != null) {
            defineKeyBasedOnPassword();
        }
        validateParameters();
        switch (this.encoding) {
            case NONE:
                jWTParametersEncryption = new JWTParametersNone();
                break;
            case JWS:
                jWTParametersEncryption = new JWTParametersSigning(this.headerValues, this.secretKeySigning);
                break;
            case JWE:
                if (this.parametersSigning == null) {
                    this.parametersSigning = new JWTParametersSigning(this.headerValues, this.secretKeySigning);
                }
                jWTParametersEncryption = new JWTParametersEncryption(this.parametersSigning, this.headerValues, this.secretKeyEncryption, this.jweAlgorithm);
                break;
            default:
                throw new IllegalArgumentException(String.format("Unsupported value for JWTEncoding : %s", this.encoding));
        }
        return jWTParametersEncryption;
    }

    private void defineKeyBasedOnPassword() {
        byte[] bArr = new byte[JwtSupportConfiguration.getInstance().getSaltLengthPasswordBasedEJWEEncryption()];
        JCASupportConfiguration.getInstance().getSecureRandom().nextBytes(bArr);
        this.secretKeyEncryption = new AtbashKey(this.kid, PBKDF.deriveKey(this.password, bArr, this.iterationCount, PRFParams.resolve(this.jweAlgorithm)));
        this.headerValues.put(HeaderParameterNames.PBES2_SALT_INPUT, Base64URLValue.encode(bArr));
        this.headerValues.put(HeaderParameterNames.PBES2_COUNT, Integer.valueOf(this.iterationCount));
    }

    private void validateParameters() {
        switch (this.encoding) {
            case NONE:
                return;
            case JWS:
                validateJWSParameters();
                return;
            case JWE:
                validateJWEParameters();
                return;
            default:
                throw new IllegalArgumentException(String.format("Unsupported value for JWTEncoding : %s", this.encoding));
        }
    }

    private void validateJWEParameters() {
        if (this.secretKeyEncryption == null) {
            throw new AtbashIllegalActionException("(OCT-DEV-106) JWE encoding requires a JWK secret for the encryption");
        }
        if (this.secretKeySigning == null) {
            throw new AtbashIllegalActionException("(OCT-DEV-112) JWE encoding requires a JWK secret for the signing");
        }
        if (this.jweAlgorithm == null) {
            return;
        }
        KeyType keyType = this.secretKeyEncryption.getSecretKeyType().getKeyType();
        boolean z = true;
        if (keyType == KeyType.RSA) {
            z = JWEAlgorithm.Family.RSA.contains(this.jweAlgorithm);
        }
        if (keyType == KeyType.EC) {
            z = JWEAlgorithm.Family.ECDH_ES.contains(this.jweAlgorithm);
        }
        if (keyType == KeyType.OCT) {
            z = this.password == null ? JWEAlgorithm.Family.AES_KW.contains(this.jweAlgorithm) : JWEAlgorithm.Family.PBES2.contains(this.jweAlgorithm);
        }
        if (!z) {
            throw new AtbashIllegalActionException("(OCT-DEV-111) JWE Algorithm not valid for key type.");
        }
    }

    private void validateJWSParameters() {
        if (this.secretKeySigning == null) {
            throw new AtbashIllegalActionException("(OCT-DEV-105) JWS encoding requires a JWK secret for the signing");
        }
    }

    public static JWTParametersBuilder newBuilderFor(JWTEncoding jWTEncoding) {
        return new JWTParametersBuilder(jWTEncoding);
    }
}
