package org.apereo.cas.token;

import io.swagger.v3.oas.annotations.Operation;
import io.swagger.v3.oas.annotations.Parameter;
import java.io.StringWriter;
import java.security.Key;
import java.security.KeyFactory;
import java.security.PublicKey;
import java.security.interfaces.RSAPrivateCrtKey;
import java.security.spec.RSAPublicKeySpec;
import org.apache.commons.lang3.StringUtils;
import org.apereo.cas.authentication.principal.ServiceFactory;
import org.apereo.cas.authentication.principal.WebApplicationService;
import org.apereo.cas.configuration.CasConfigurationProperties;
import org.apereo.cas.services.RegisteredService;
import org.apereo.cas.services.RegisteredServiceAccessStrategyUtils;
import org.apereo.cas.services.ServicesManager;
import org.apereo.cas.token.cipher.JwtTicketCipherExecutor;
import org.apereo.cas.token.cipher.RegisteredServiceJwtTicketCipherExecutor;
import org.apereo.cas.util.crypto.CipherExecutor;
import org.apereo.cas.web.BaseCasActuatorEndpoint;
import org.bouncycastle.openssl.jcajce.JcaPEMWriter;
import org.springframework.boot.actuate.endpoint.Access;
import org.springframework.boot.actuate.endpoint.annotation.Endpoint;
import org.springframework.boot.actuate.endpoint.annotation.ReadOperation;
import org.springframework.lang.Nullable;

@Endpoint(id = "jwtTicketSigningPublicKey", defaultAccess = Access.NONE)
/* loaded from: input_file:WEB-INF/lib/cas-server-support-token-core-api-7.3.0-RC2.jar:org/apereo/cas/token/JwtTokenCipherSigningPublicKeyEndpoint.class */
public class JwtTokenCipherSigningPublicKeyEndpoint extends BaseCasActuatorEndpoint {
    private final CipherExecutor tokenCipherExecutor;
    private final ServicesManager servicesManager;
    private final ServiceFactory<WebApplicationService> webApplicationServiceFactory;

    public JwtTokenCipherSigningPublicKeyEndpoint(CasConfigurationProperties casConfigurationProperties, CipherExecutor cipherExecutor, ServicesManager servicesManager, ServiceFactory<WebApplicationService> serviceFactory) {
        super(casConfigurationProperties);
        this.tokenCipherExecutor = cipherExecutor;
        this.servicesManager = servicesManager;
        this.webApplicationServiceFactory = serviceFactory;
    }

    @ReadOperation(produces = {"text/plain"})
    @Operation(summary = "Get public key for signing operations", parameters = {@Parameter(name = "service", required = false, description = "The service to look up")})
    public String fetchPublicKey(@Nullable String str) throws Exception {
        Key signingKey = this.tokenCipherExecutor.getSigningKey();
        if (StringUtils.isNotBlank(str)) {
            WebApplicationService createService = this.webApplicationServiceFactory.createService(str);
            RegisteredService findServiceBy = this.servicesManager.findServiceBy(createService);
            RegisteredServiceAccessStrategyUtils.ensureServiceAccessIsAllowed(createService, findServiceBy);
            RegisteredServiceJwtTicketCipherExecutor registeredServiceJwtTicketCipherExecutor = new RegisteredServiceJwtTicketCipherExecutor();
            if (registeredServiceJwtTicketCipherExecutor.supports(findServiceBy)) {
                JwtTicketCipherExecutor tokenTicketCipherExecutorForService = registeredServiceJwtTicketCipherExecutor.getTokenTicketCipherExecutorForService(findServiceBy);
                if (tokenTicketCipherExecutorForService.isEnabled()) {
                    signingKey = tokenTicketCipherExecutorForService.getSigningKey();
                }
            }
        }
        if (!(signingKey instanceof RSAPrivateCrtKey)) {
            return "";
        }
        RSAPrivateCrtKey rSAPrivateCrtKey = (RSAPrivateCrtKey) signingKey;
        PublicKey generatePublic = KeyFactory.getInstance("RSA").generatePublic(new RSAPublicKeySpec(rSAPrivateCrtKey.getModulus(), rSAPrivateCrtKey.getPublicExponent()));
        StringWriter stringWriter = new StringWriter();
        JcaPEMWriter jcaPEMWriter = new JcaPEMWriter(stringWriter);
        try {
            jcaPEMWriter.writeObject(generatePublic);
            jcaPEMWriter.flush();
            jcaPEMWriter.close();
            return stringWriter.toString();
        } catch (Throwable th) {
            try {
                jcaPEMWriter.close();
            } catch (Throwable th2) {
                th.addSuppressed(th2);
            }
            throw th;
        }
    }
}
