package fi.evolver.azure.entraid;

import com.nimbusds.jose.JOSEException;
import com.nimbusds.jose.JOSEObjectType;
import com.nimbusds.jose.JWSAlgorithm;
import com.nimbusds.jose.JWSHeader;
import com.nimbusds.jose.JWSSigner;
import com.nimbusds.jose.crypto.factories.DefaultJWSSignerFactory;
import com.nimbusds.jose.jwk.RSAKey;
import com.nimbusds.jose.util.Base64URL;
import com.nimbusds.jwt.JWTClaimsSet;
import com.nimbusds.jwt.SignedJWT;
import java.io.ByteArrayInputStream;
import java.security.KeyFactory;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.security.PrivateKey;
import java.security.PublicKey;
import java.security.cert.CertificateEncodingException;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.security.interfaces.RSAPublicKey;
import java.security.spec.InvalidKeySpecException;
import java.security.spec.PKCS8EncodedKeySpec;
import java.util.Base64;
import java.util.Date;
import java.util.UUID;

/* loaded from: input_file:fi/evolver/azure/entraid/EntraIdCertificateSignedJwtAssertionFactory.class */
public class EntraIdCertificateSignedJwtAssertionFactory {
    private final JWSSigner signer;
    private final JWSHeader header;
    private final JWTClaimsSet templateClaims;

    public EntraIdCertificateSignedJwtAssertionFactory(String str, String str2, String str3, String str4) throws EntraIdAssertionException {
        try {
            PrivateKey generatePrivate = KeyFactory.getInstance("RSA").generatePrivate(new PKCS8EncodedKeySpec(Base64.getDecoder().decode(str)));
            X509Certificate x509Certificate = (X509Certificate) CertificateFactory.getInstance("X.509").generateCertificate(new ByteArrayInputStream(Base64.getDecoder().decode(str2)));
            this.signer = createJWSSigner(x509Certificate.getPublicKey(), generatePrivate);
            this.header = createJWSHeader(x509Certificate);
            this.templateClaims = createTemplateJWTClaims(str3, str4);
        } catch (NoSuchAlgorithmException | CertificateException | InvalidKeySpecException | JOSEException e) {
            throw new EntraIdAssertionException("Failed to create factory.", e);
        }
    }

    public String createJwtAssertion() throws EntraIdAssertionException {
        SignedJWT signedJWT = new SignedJWT(this.header, createJWTClaimsSet());
        try {
            signedJWT.sign(this.signer);
            return signedJWT.serialize();
        } catch (JOSEException e) {
            throw new EntraIdAssertionException("Failed to sign JWT.", e);
        }
    }

    private static JWSSigner createJWSSigner(PublicKey publicKey, PrivateKey privateKey) throws JOSEException {
        return new DefaultJWSSignerFactory().createJWSSigner(new RSAKey.Builder((RSAPublicKey) publicKey).privateKey(privateKey).keyID(UUID.randomUUID().toString()).build());
    }

    private static JWSHeader createJWSHeader(X509Certificate x509Certificate) throws CertificateEncodingException, NoSuchAlgorithmException {
        return new JWSHeader.Builder(JWSAlgorithm.RS256).type(JOSEObjectType.JWT).x509CertThumbprint(Base64URL.encode(getX5t(x509Certificate))).build();
    }

    private static byte[] getX5t(X509Certificate x509Certificate) throws NoSuchAlgorithmException, CertificateEncodingException {
        MessageDigest messageDigest = MessageDigest.getInstance("SHA-1");
        messageDigest.update(x509Certificate.getEncoded());
        return messageDigest.digest();
    }

    private static JWTClaimsSet createTemplateJWTClaims(String str, String str2) {
        return new JWTClaimsSet.Builder().audience("https://login.microsoftonline.com/%s/v2.0".formatted(str)).issuer(str2).subject(str2).build();
    }

    private JWTClaimsSet createJWTClaimsSet() {
        Date date = new Date();
        return new JWTClaimsSet.Builder(this.templateClaims).expirationTime(Date.from(date.toInstant().plusSeconds(300L))).jwtID(UUID.randomUUID().toString()).notBeforeTime(date).issueTime(date).build();
    }
}
