package org.springframework.security.oauth2.jwt;

import com.nimbusds.jose.Algorithm;
import com.nimbusds.jose.JOSEException;
import com.nimbusds.jose.JOSEObjectType;
import com.nimbusds.jose.JWSAlgorithm;
import com.nimbusds.jose.JWSHeader;
import com.nimbusds.jose.JWSSigner;
import com.nimbusds.jose.crypto.factories.DefaultJWSSignerFactory;
import com.nimbusds.jose.jwk.JWK;
import com.nimbusds.jose.jwk.JWKMatcher;
import com.nimbusds.jose.jwk.JWKSelector;
import com.nimbusds.jose.jwk.KeyType;
import com.nimbusds.jose.jwk.KeyUse;
import com.nimbusds.jose.jwk.source.JWKSource;
import com.nimbusds.jose.proc.SecurityContext;
import com.nimbusds.jose.produce.JWSSignerFactory;
import com.nimbusds.jose.util.Base64;
import com.nimbusds.jose.util.Base64URL;
import com.nimbusds.jwt.JWTClaimsSet;
import com.nimbusds.jwt.SignedJWT;
import java.net.URI;
import java.net.URL;
import java.time.Instant;
import java.util.ArrayList;
import java.util.Date;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.concurrent.ConcurrentHashMap;
import org.springframework.security.oauth2.jose.jws.SignatureAlgorithm;
import org.springframework.security.oauth2.jwt.JwsHeader;
import org.springframework.util.Assert;
import org.springframework.util.CollectionUtils;
import org.springframework.util.StringUtils;

/* loaded from: input_file:org/springframework/security/oauth2/jwt/NimbusJwtEncoder.class */
public final class NimbusJwtEncoder implements JwtEncoder {
    private static final String ENCODING_ERROR_MESSAGE_TEMPLATE = "An error occurred while attempting to encode the Jwt: %s";
    private static final JwsHeader DEFAULT_JWS_HEADER = JwsHeader.with(SignatureAlgorithm.RS256).build();
    private static final JWSSignerFactory JWS_SIGNER_FACTORY = new DefaultJWSSignerFactory();
    private final Map<JWK, JWSSigner> jwsSigners = new ConcurrentHashMap();
    private final JWKSource<SecurityContext> jwkSource;

    public NimbusJwtEncoder(JWKSource<SecurityContext> jWKSource) {
        Assert.notNull(jWKSource, "jwkSource cannot be null");
        this.jwkSource = jWKSource;
    }

    @Override // org.springframework.security.oauth2.jwt.JwtEncoder
    public Jwt encode(JwtEncoderParameters jwtEncoderParameters) throws JwtEncodingException {
        Assert.notNull(jwtEncoderParameters, "parameters cannot be null");
        JwsHeader jwsHeader = jwtEncoderParameters.getJwsHeader();
        if (jwsHeader == null) {
            jwsHeader = DEFAULT_JWS_HEADER;
        }
        JwtClaimsSet claims = jwtEncoderParameters.getClaims();
        JWK selectJwk = selectJwk(jwsHeader);
        JwsHeader addKeyIdentifierHeadersIfNecessary = addKeyIdentifierHeadersIfNecessary(jwsHeader, selectJwk);
        return new Jwt(serialize(addKeyIdentifierHeadersIfNecessary, claims, selectJwk), claims.getIssuedAt(), claims.getExpiresAt(), addKeyIdentifierHeadersIfNecessary.getHeaders(), claims.getClaims());
    }

    private JWK selectJwk(JwsHeader jwsHeader) {
        try {
            List list = this.jwkSource.get(new JWKSelector(createJwkMatcher(jwsHeader)), (SecurityContext) null);
            if (list.size() > 1) {
                throw new JwtEncodingException(String.format(ENCODING_ERROR_MESSAGE_TEMPLATE, "Found multiple JWK signing keys for algorithm '" + jwsHeader.getAlgorithm().getName() + "'"));
            }
            if (list.isEmpty()) {
                throw new JwtEncodingException(String.format(ENCODING_ERROR_MESSAGE_TEMPLATE, "Failed to select a JWK signing key"));
            }
            return (JWK) list.get(0);
        } catch (Exception e) {
            throw new JwtEncodingException(String.format(ENCODING_ERROR_MESSAGE_TEMPLATE, "Failed to select a JWK signing key -> " + e.getMessage()), e);
        }
    }

    private String serialize(JwsHeader jwsHeader, JwtClaimsSet jwtClaimsSet, JWK jwk) {
        JWSHeader convert = convert(jwsHeader);
        JWTClaimsSet convert2 = convert(jwtClaimsSet);
        JWSSigner computeIfAbsent = this.jwsSigners.computeIfAbsent(jwk, NimbusJwtEncoder::createSigner);
        SignedJWT signedJWT = new SignedJWT(convert, convert2);
        try {
            signedJWT.sign(computeIfAbsent);
            return signedJWT.serialize();
        } catch (JOSEException e) {
            throw new JwtEncodingException(String.format(ENCODING_ERROR_MESSAGE_TEMPLATE, "Failed to sign the JWT -> " + e.getMessage()), e);
        }
    }

    private static JWKMatcher createJwkMatcher(JwsHeader jwsHeader) {
        Algorithm parse = JWSAlgorithm.parse(jwsHeader.getAlgorithm().getName());
        if (JWSAlgorithm.Family.RSA.contains(parse) || JWSAlgorithm.Family.EC.contains(parse)) {
            return new JWKMatcher.Builder().keyType(KeyType.forAlgorithm(parse)).keyID(jwsHeader.getKeyId()).keyUses(new KeyUse[]{KeyUse.SIGNATURE, null}).algorithms(new Algorithm[]{parse, null}).x509CertSHA256Thumbprint(Base64URL.from(jwsHeader.getX509SHA256Thumbprint())).build();
        }
        if (JWSAlgorithm.Family.HMAC_SHA.contains(parse)) {
            return new JWKMatcher.Builder().keyType(KeyType.forAlgorithm(parse)).keyID(jwsHeader.getKeyId()).privateOnly(true).algorithms(new Algorithm[]{parse, null}).build();
        }
        return null;
    }

    private static JwsHeader addKeyIdentifierHeadersIfNecessary(JwsHeader jwsHeader, JWK jwk) {
        if (StringUtils.hasText(jwsHeader.getKeyId()) && StringUtils.hasText(jwsHeader.getX509SHA256Thumbprint())) {
            return jwsHeader;
        }
        if (!StringUtils.hasText(jwk.getKeyID()) && jwk.getX509CertSHA256Thumbprint() == null) {
            return jwsHeader;
        }
        JwsHeader.Builder from = JwsHeader.from(jwsHeader);
        if (!StringUtils.hasText(jwsHeader.getKeyId()) && StringUtils.hasText(jwk.getKeyID())) {
            from.keyId(jwk.getKeyID());
        }
        if (!StringUtils.hasText(jwsHeader.getX509SHA256Thumbprint()) && jwk.getX509CertSHA256Thumbprint() != null) {
            from.x509SHA256Thumbprint(jwk.getX509CertSHA256Thumbprint().toString());
        }
        return from.build();
    }

    private static JWSSigner createSigner(JWK jwk) {
        try {
            return JWS_SIGNER_FACTORY.createJWSSigner(jwk);
        } catch (JOSEException e) {
            throw new JwtEncodingException(String.format(ENCODING_ERROR_MESSAGE_TEMPLATE, "Failed to create a JWS Signer -> " + e.getMessage()), e);
        }
    }

    private static JWSHeader convert(JwsHeader jwsHeader) {
        JWSHeader.Builder builder = new JWSHeader.Builder(JWSAlgorithm.parse(jwsHeader.getAlgorithm().getName()));
        if (jwsHeader.getJwkSetUrl() != null) {
            builder.jwkURL(convertAsURI(JoseHeaderNames.JKU, jwsHeader.getJwkSetUrl()));
        }
        Map jwk = jwsHeader.getJwk();
        if (!CollectionUtils.isEmpty(jwk)) {
            try {
                builder.jwk(JWK.parse(jwk));
            } catch (Exception e) {
                throw new JwtEncodingException(String.format(ENCODING_ERROR_MESSAGE_TEMPLATE, "Unable to convert 'jwk' JOSE header"), e);
            }
        }
        String keyId = jwsHeader.getKeyId();
        if (StringUtils.hasText(keyId)) {
            builder.keyID(keyId);
        }
        if (jwsHeader.getX509Url() != null) {
            builder.x509CertURL(convertAsURI(JoseHeaderNames.X5U, jwsHeader.getX509Url()));
        }
        List x509CertificateChain = jwsHeader.getX509CertificateChain();
        if (!CollectionUtils.isEmpty(x509CertificateChain)) {
            ArrayList arrayList = new ArrayList();
            x509CertificateChain.forEach(str -> {
                arrayList.add(new Base64(str));
            });
            if (!arrayList.isEmpty()) {
                builder.x509CertChain(arrayList);
            }
        }
        String x509SHA1Thumbprint = jwsHeader.getX509SHA1Thumbprint();
        if (StringUtils.hasText(x509SHA1Thumbprint)) {
            builder.x509CertThumbprint(new Base64URL(x509SHA1Thumbprint));
        }
        String x509SHA256Thumbprint = jwsHeader.getX509SHA256Thumbprint();
        if (StringUtils.hasText(x509SHA256Thumbprint)) {
            builder.x509CertSHA256Thumbprint(new Base64URL(x509SHA256Thumbprint));
        }
        String type = jwsHeader.getType();
        if (StringUtils.hasText(type)) {
            builder.type(new JOSEObjectType(type));
        }
        String contentType = jwsHeader.getContentType();
        if (StringUtils.hasText(contentType)) {
            builder.contentType(contentType);
        }
        Set critical = jwsHeader.getCritical();
        if (!CollectionUtils.isEmpty(critical)) {
            builder.criticalParams(critical);
        }
        HashMap hashMap = new HashMap();
        jwsHeader.getHeaders().forEach((str2, obj) -> {
            if (JWSHeader.getRegisteredParameterNames().contains(str2)) {
                return;
            }
            hashMap.put(str2, obj);
        });
        if (!hashMap.isEmpty()) {
            builder.customParams(hashMap);
        }
        return builder.build();
    }

    private static JWTClaimsSet convert(JwtClaimsSet jwtClaimsSet) {
        JWTClaimsSet.Builder builder = new JWTClaimsSet.Builder();
        Object claim = jwtClaimsSet.getClaim(JwtClaimNames.ISS);
        if (claim != null) {
            builder.issuer(claim.toString());
        }
        String subject = jwtClaimsSet.getSubject();
        if (StringUtils.hasText(subject)) {
            builder.subject(subject);
        }
        List<String> audience = jwtClaimsSet.getAudience();
        if (!CollectionUtils.isEmpty(audience)) {
            builder.audience(audience);
        }
        Instant expiresAt = jwtClaimsSet.getExpiresAt();
        if (expiresAt != null) {
            builder.expirationTime(Date.from(expiresAt));
        }
        Instant notBefore = jwtClaimsSet.getNotBefore();
        if (notBefore != null) {
            builder.notBeforeTime(Date.from(notBefore));
        }
        Instant issuedAt = jwtClaimsSet.getIssuedAt();
        if (issuedAt != null) {
            builder.issueTime(Date.from(issuedAt));
        }
        String id = jwtClaimsSet.getId();
        if (StringUtils.hasText(id)) {
            builder.jwtID(id);
        }
        HashMap hashMap = new HashMap();
        jwtClaimsSet.getClaims().forEach((str, obj) -> {
            if (JWTClaimsSet.getRegisteredNames().contains(str)) {
                return;
            }
            hashMap.put(str, obj);
        });
        if (!hashMap.isEmpty()) {
            builder.getClass();
            hashMap.forEach(builder::claim);
        }
        return builder.build();
    }

    private static URI convertAsURI(String str, URL url) {
        try {
            return url.toURI();
        } catch (Exception e) {
            throw new JwtEncodingException(String.format(ENCODING_ERROR_MESSAGE_TEMPLATE, "Unable to convert '" + str + "' JOSE header to a URI"), e);
        }
    }
}
