package de.mhus.lib.core.aaa;

import de.mhus.lib.core.MLog;
import de.mhus.lib.core.MProperties;
import de.mhus.lib.core.MSystem;
import de.mhus.lib.core.MValidator;
import de.mhus.lib.core.cfg.CfgString;
import de.mhus.lib.core.crypt.MBouncy;
import de.mhus.lib.core.crypt.pem.PemBlock;
import de.mhus.lib.core.crypt.pem.PemBlockModel;
import de.mhus.lib.core.keychain.DefaultEntry;
import de.mhus.lib.core.keychain.KeyEntry;
import de.mhus.lib.core.keychain.KeychainSource;
import de.mhus.lib.core.keychain.MKeychain;
import de.mhus.lib.core.keychain.MKeychainUtil;
import de.mhus.lib.core.keychain.MutableVaultSource;
import de.mhus.lib.core.security.MSecurity;
import de.mhus.lib.core.util.TimeoutMap;
import de.mhus.lib.errors.AccessDeniedException;
import de.mhus.lib.errors.MRuntimeException;
import io.jsonwebtoken.Claims;
import io.jsonwebtoken.Jws;
import io.jsonwebtoken.JwsHeader;
import io.jsonwebtoken.JwtBuilder;
import io.jsonwebtoken.JwtException;
import io.jsonwebtoken.Jwts;
import io.jsonwebtoken.SignatureAlgorithm;
import io.jsonwebtoken.SigningKeyResolver;
import io.jsonwebtoken.SigningKeyResolverAdapter;
import io.jsonwebtoken.security.Keys;
import java.security.Key;
import java.security.KeyPair;
import java.security.PublicKey;
import java.util.Collections;
import java.util.Date;
import java.util.Map;
import java.util.UUID;
import org.apache.shiro.ShiroException;

/* loaded from: input_file:de/mhus/lib/core/aaa/JwtProviderImpl.class */
public class JwtProviderImpl extends MLog implements JwtProvider {
    protected static final String ALGORITHM = "ECDSA";
    protected static final String PROVIDER = "BC";
    private Key jwtPrivateKey;
    private String jwtKeyId;
    private CfgString CFG_SOURCE_SEC = new CfgString(JwtProvider.class, "privateSource", "default");
    private CfgString CFG_SOURCE_PUB = new CfgString(JwtProvider.class, "publicSource", "default");
    private Map<String, PublicKey> publicKeyCache = Collections.synchronizedMap(new TimeoutMap(600000));
    private SigningKeyResolverAdapter jwtKeyResolver = new SigningKeyResolverAdapter() { // from class: de.mhus.lib.core.aaa.JwtProviderImpl.1
        public Key resolveSigningKey(JwsHeader jwsHeader, Claims claims) {
            return JwtProviderImpl.this.getJwtPublicKeyById(jwsHeader.getKeyId());
        }
    };

    /* loaded from: input_file:de/mhus/lib/core/aaa/JwtProviderImpl$JwsDataImpl.class */
    private static class JwsDataImpl implements JwsData {
        private Jws<Claims> jws;

        public JwsDataImpl(Jws<Claims> jws) {
            this.jws = jws;
        }

        @Override // de.mhus.lib.core.aaa.JwsData
        public String getSubject() {
            return ((Claims) this.jws.getBody()).getSubject();
        }
    }

    public JwtProviderImpl() {
        MBouncy.init();
    }

    public String createToken(String str, String str2, BearerConfiguration bearerConfiguration, Key key, String str3) {
        JwtBuilder signWith = Jwts.builder().setSubject(str).signWith(key);
        if (str2 != null) {
            signWith.setIssuer(str2);
        } else {
            signWith.setIssuer(getServerIdent());
        }
        if (str3 != null) {
            signWith.setHeaderParam("kid", str3);
        }
        if (bearerConfiguration.isTimeout()) {
            signWith.setExpiration(new Date(bearerConfiguration.getTTL()));
        }
        return signWith.compact();
    }

    @Override // de.mhus.lib.core.aaa.JwtProvider
    public JwsData readToken(String str) {
        return new JwsDataImpl(readToken(str, this.jwtKeyResolver));
    }

    public Jws<Claims> readToken(String str, SigningKeyResolver signingKeyResolver) {
        try {
            return Jwts.parserBuilder().setSigningKeyResolver(signingKeyResolver).build().parseClaimsJws(str);
        } catch (JwtException e) {
            log().d(e);
            throw new AccessDeniedException(new Object[]{e});
        }
    }

    @Override // de.mhus.lib.core.aaa.JwtProvider
    public String createBearerToken(String str, String str2, BearerConfiguration bearerConfiguration) throws ShiroException {
        try {
            return createToken(str, str2, bearerConfiguration, getJwtPrivateKey(), this.jwtKeyId);
        } catch (Throwable th) {
            log().d(str, th);
            throw new ShiroException(str, th);
        }
    }

    protected synchronized Key getJwtPrivateKey() throws ShiroException {
        try {
            MKeychain loadDefault = MKeychainUtil.loadDefault();
            if (this.jwtPrivateKey == null) {
                String str = "jws." + getServerIdent() + ".sec";
                KeyEntry entry = loadDefault.getEntry(str);
                if (entry != null) {
                    log().i("Load JWT key");
                    this.jwtKeyId = PemBlockModel.loadFromString(entry.getValue().value()).getString(PemBlock.PUB_ID);
                    this.jwtPrivateKey = MSecurity.readPrivateKey(entry.getValue().value(), ALGORITHM, PROVIDER);
                } else {
                    log().i("Create JWT keys");
                    KeyPair keyPairFor = Keys.keyPairFor(SignatureAlgorithm.ES256);
                    UUID randomUUID = UUID.randomUUID();
                    UUID randomUUID2 = UUID.randomUUID();
                    MProperties mProperties = new MProperties();
                    mProperties.put(PemBlock.IDENT, (Object) randomUUID2);
                    mProperties.put(PemBlock.PUB_ID, (Object) randomUUID);
                    mProperties.put(PemBlock.ALGORITHM, (Object) ALGORITHM);
                    String keyToString = MSecurity.keyToString(keyPairFor.getPrivate(), mProperties);
                    MutableVaultSource editable = loadDefault.getSource(this.CFG_SOURCE_SEC.value()).getEditable();
                    editable.addEntry(new DefaultEntry(randomUUID2, MKeychainUtil.getType(keyToString), str, "JWT private key", keyToString));
                    editable.doSave();
                    String str2 = "jws." + getServerIdent() + ".pub";
                    MProperties mProperties2 = new MProperties();
                    mProperties2.put(PemBlock.IDENT, (Object) randomUUID);
                    mProperties2.put(PemBlock.PRIV_ID, (Object) randomUUID2);
                    mProperties2.put(PemBlock.ALGORITHM, (Object) ALGORITHM);
                    String keyToString2 = MSecurity.keyToString(keyPairFor.getPublic(), mProperties2);
                    MutableVaultSource editable2 = loadDefault.getSource(this.CFG_SOURCE_PUB.value()).getEditable();
                    editable2.addEntry(new DefaultEntry(randomUUID, MKeychainUtil.getType(keyToString2), str2, "JWT public key", keyToString2));
                    editable2.doSave();
                    this.jwtPrivateKey = keyPairFor.getPrivate();
                    this.jwtKeyId = randomUUID.toString();
                }
            }
            return this.jwtPrivateKey;
        } catch (Throwable th) {
            throw new ShiroException(th);
        }
    }

    protected String getServerIdent() {
        return MSystem.getHostname();
    }

    protected Key getJwtPublicKeyById(String str) {
        PublicKey publicKey = this.publicKeyCache.get(str);
        if (publicKey != null) {
            return publicKey;
        }
        try {
            KeychainSource source = MKeychainUtil.loadDefault().getSource(this.CFG_SOURCE_PUB.value());
            KeyEntry entry = MValidator.isUUID(str) ? source.getEntry(UUID.fromString(str)) : source.getEntry("jwt." + str + ".pub");
            if (entry == null) {
                throw new MRuntimeException(new Object[]{"Key unknown", str});
            }
            PublicKey readPublicKey = MSecurity.readPublicKey(entry.getValue().value(), ALGORITHM, PROVIDER);
            this.publicKeyCache.put(str, readPublicKey);
            return readPublicKey;
        } catch (Exception e) {
            throw new MRuntimeException(new Object[]{str, e});
        }
    }

    @Override // de.mhus.lib.core.aaa.JwtProvider
    public String getSubject(String str) {
        return ((Claims) readToken(str, this.jwtKeyResolver).getBody()).getSubject();
    }

    public void clear() {
        this.jwtPrivateKey = null;
        this.jwtKeyId = null;
        this.publicKeyCache.clear();
    }
}
