package org.apache.cxf.rs.security.oauth2.grants.code;

import java.security.cert.X509Certificate;
import java.util.List;
import java.util.Map;
import javax.ws.rs.core.MultivaluedMap;
import org.apache.cxf.helpers.CastUtils;
import org.apache.cxf.jaxrs.impl.MetadataMap;
import org.apache.cxf.jaxrs.provider.json.JsonMapObjectReaderWriter;
import org.apache.cxf.rs.security.jose.jwe.JweDecryptionProvider;
import org.apache.cxf.rs.security.jose.jwe.JweUtils;
import org.apache.cxf.rs.security.jose.jws.JwsJwtCompactConsumer;
import org.apache.cxf.rs.security.jose.jws.JwsSignatureVerifier;
import org.apache.cxf.rs.security.jose.jws.JwsUtils;
import org.apache.cxf.rs.security.jose.jwt.JwtClaims;
import org.apache.cxf.rs.security.oauth2.common.Client;
import org.apache.cxf.rs.security.oauth2.common.UserSubject;
import org.apache.cxf.rs.security.oauth2.provider.AuthorizationCodeRequestFilter;
import org.apache.cxf.rs.security.oauth2.utils.OAuthConstants;
import org.apache.cxf.rt.security.crypto.CryptoUtils;

/* loaded from: input_file:org/apache/cxf/rs/security/oauth2/grants/code/JwtRequestCodeFilter.class */
public class JwtRequestCodeFilter implements AuthorizationCodeRequestFilter {
    private static final String REQUEST_PARAM = "request";
    private JweDecryptionProvider jweDecryptor;
    private JwsSignatureVerifier jwsVerifier;
    private boolean verifyWithClientCertificates;
    private boolean verifyWithClientSecret;
    private boolean decryptWithClientSecret;
    private String issuer;
    private JsonMapObjectReaderWriter jsonHandler = new JsonMapObjectReaderWriter();

    @Override // org.apache.cxf.rs.security.oauth2.provider.AuthorizationCodeRequestFilter
    public MultivaluedMap<String, String> process(MultivaluedMap<String, String> multivaluedMap, UserSubject userSubject, Client client) {
        String str = (String) multivaluedMap.getFirst(REQUEST_PARAM);
        if (str == null) {
            return multivaluedMap;
        }
        JweDecryptionProvider initializedDecryptionProvider = getInitializedDecryptionProvider(client);
        if (initializedDecryptionProvider != null) {
            str = initializedDecryptionProvider.decrypt(str).getContentText();
        }
        JwsSignatureVerifier initializedSigVerifier = getInitializedSigVerifier(client);
        JwsJwtCompactConsumer jwsJwtCompactConsumer = new JwsJwtCompactConsumer(str);
        if (!jwsJwtCompactConsumer.verifySignatureWith(initializedSigVerifier)) {
            throw new SecurityException("Invalid Signature");
        }
        JwtClaims jwtClaims = jwsJwtCompactConsumer.getJwtClaims();
        if (!(this.issuer != null ? this.issuer : client.getClientId()).equals(jwtClaims.getIssuer()) || (jwtClaims.getClaim(OAuthConstants.CLIENT_ID) != null && jwtClaims.getStringProperty(OAuthConstants.CLIENT_ID).equals(client.getClientId()))) {
            throw new SecurityException();
        }
        MetadataMap metadataMap = new MetadataMap();
        for (Map.Entry entry : jwtClaims.asMap().entrySet()) {
            String str2 = (String) entry.getKey();
            Object value = entry.getValue();
            if (value instanceof Map) {
                value = this.jsonHandler.toJson(CastUtils.cast((Map) value));
            } else if (value instanceof List) {
                value = this.jsonHandler.toJson(CastUtils.cast((List) value));
            }
            metadataMap.putSingle(str2, value.toString());
        }
        return metadataMap;
    }

    public void setJweDecryptor(JweDecryptionProvider jweDecryptionProvider) {
        this.jweDecryptor = jweDecryptionProvider;
    }

    public void setJweVerifier(JwsSignatureVerifier jwsSignatureVerifier) {
        this.jwsVerifier = jwsSignatureVerifier;
    }

    protected JweDecryptionProvider getInitializedDecryptionProvider(Client client) {
        return this.jweDecryptor != null ? this.jweDecryptor : this.decryptWithClientSecret ? JweUtils.getDirectKeyJweDecryption(CryptoUtils.decodeSecretKey(client.getClientSecret()), "A128GCM") : JweUtils.loadDecryptionProvider(false);
    }

    protected JwsSignatureVerifier getInitializedSigVerifier(Client client) {
        return this.jwsVerifier != null ? this.jwsVerifier : this.verifyWithClientSecret ? JwsUtils.getHmacSignatureVerifier(CryptoUtils.decodeSequence(client.getClientSecret()), "HS256") : this.verifyWithClientCertificates ? JwsUtils.getPublicKeySignatureVerifier((X509Certificate) CryptoUtils.decodeCertificate(client.getApplicationCertificates().get(0)), "RS256") : JwsUtils.loadSignatureVerifier(true);
    }

    public void setIssuer(String str) {
        this.issuer = str;
    }

    public void setVerifyWithClientCertificates(boolean z) {
        if (this.verifyWithClientSecret) {
            throw new SecurityException();
        }
        this.verifyWithClientCertificates = z;
    }

    public void setVerifyWithClientSecret(boolean z) {
        if (this.decryptWithClientSecret || this.verifyWithClientCertificates) {
            throw new SecurityException();
        }
        this.verifyWithClientSecret = z;
    }

    public void setDecryptWithClientSecret(boolean z) {
        if (this.verifyWithClientSecret) {
            throw new SecurityException();
        }
        this.decryptWithClientSecret = z;
    }
}
