package org.elasticsearch.xpack.security.authc.jwt;

import com.nimbusds.jose.JWSAlgorithm;
import com.nimbusds.jose.crypto.MACSigner;
import com.nimbusds.jose.jwk.Curve;
import com.nimbusds.jose.jwk.ECKey;
import com.nimbusds.jose.jwk.JWK;
import com.nimbusds.jose.jwk.JWKSet;
import com.nimbusds.jose.jwk.KeyOperation;
import com.nimbusds.jose.jwk.KeyUse;
import com.nimbusds.jose.jwk.OctetSequenceKey;
import com.nimbusds.jose.jwk.RSAKey;
import java.nio.charset.StandardCharsets;
import java.security.PublicKey;
import java.security.interfaces.RSAPublicKey;
import java.util.Collections;
import java.util.List;
import java.util.Set;
import java.util.function.Supplier;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.elasticsearch.common.settings.SettingsException;
import org.elasticsearch.core.Strings;
import org.elasticsearch.xpack.core.security.authc.jwt.JwtRealmSettings;
import org.elasticsearch.xpack.security.authc.jwt.JwkSetLoader;
import org.elasticsearch.xpack.security.authc.jwt.JwtUtil;

/* loaded from: input_file:org/elasticsearch/xpack/security/authc/jwt/JwkValidateUtil.class */
public class JwkValidateUtil {
    private static final Logger logger = LogManager.getLogger(JwkValidateUtil.class);

    /* JADX INFO: Access modifiers changed from: package-private */
    public static JwkSetLoader.JwksAlgs filterJwksAndAlgorithms(List<JWK> list, List<String> list2) throws SettingsException {
        JwtUtil.TraceBuffer traceBuffer = new JwtUtil.TraceBuffer(logger);
        try {
            traceBuffer.append("Filtering [{}] JWKs for the following algorithms [{}].", Integer.valueOf(list.size()), String.join(",", list2));
            List<JWK> list3 = list.stream().filter(jwk -> {
                return jwk.getKeyUse() == null || KeyUse.SIGNATURE.equals(jwk.getKeyUse());
            }).toList();
            traceBuffer.append("[{}] remaining JWKs after KeyUse [SIGNATURE] filter.", Integer.valueOf(list3.size()));
            List<JWK> list4 = list3.stream().filter(jwk2 -> {
                return jwk2.getKeyOperations() == null || jwk2.getKeyOperations().contains(KeyOperation.VERIFY);
            }).toList();
            traceBuffer.append("[{}] remaining JWKs after KeyOperation [VERIFY] filter.", Integer.valueOf(list4.size()));
            List<JWK> list5 = list4.stream().filter(jwk3 -> {
                return list2.stream().anyMatch(str -> {
                    return isMatch(jwk3, str, traceBuffer);
                });
            }).toList();
            traceBuffer.append("[{}] remaining JWKs after algorithms name filter.", Integer.valueOf(list5.size()));
            List<String> list6 = list2.stream().filter(str -> {
                return list5.stream().anyMatch(jwk4 -> {
                    return isMatch(jwk4, str, traceBuffer);
                });
            }).toList();
            traceBuffer.append("[{}] remaining JWKs after configured algorithms [{}] filter.", Integer.valueOf(list5.size()), String.join(",", list6));
            JwkSetLoader.JwksAlgs jwksAlgs = new JwkSetLoader.JwksAlgs(list5, list6);
            traceBuffer.close();
            return jwksAlgs;
        } catch (Throwable th) {
            try {
                traceBuffer.close();
            } catch (Throwable th2) {
                th.addSuppressed(th2);
            }
            throw th;
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static boolean isMatch(JWK jwk, String str, JwtUtil.TraceBuffer traceBuffer) {
        try {
            if (JwtRealmSettings.SUPPORTED_SIGNATURE_ALGORITHMS_HMAC.contains(str) && (jwk instanceof OctetSequenceKey)) {
                int size = ((OctetSequenceKey) jwk).size();
                int minRequiredSecretLength = MACSigner.getMinRequiredSecretLength(JWSAlgorithm.parse(str));
                boolean z = size >= minRequiredSecretLength;
                if (!z) {
                    traceBuffer.append("HMAC JWK [" + size + "] bits too small for algorithm [" + str + "] minimum [" + minRequiredSecretLength + "].", new Object[0]);
                }
                return z;
            }
            if (JwtRealmSettings.SUPPORTED_SIGNATURE_ALGORITHMS_RSA.contains(str) && (jwk instanceof RSAKey)) {
                int computeBitLengthRsa = computeBitLengthRsa(((RSAKey) jwk).toPublicKey());
                boolean z2 = computeBitLengthRsa >= 2048;
                if (!z2) {
                    traceBuffer.append("RSA JWK [" + computeBitLengthRsa + "] bits too small for algorithm [" + str + "] minimum [2048].", new Object[0]);
                }
                return z2;
            }
            if (!JwtRealmSettings.SUPPORTED_SIGNATURE_ALGORITHMS_EC.contains(str) || !(jwk instanceof ECKey)) {
                return false;
            }
            Curve curve = ((ECKey) jwk).getCurve();
            Set forJWSAlgorithm = Curve.forJWSAlgorithm(JWSAlgorithm.parse(str));
            boolean contains = forJWSAlgorithm.contains(curve);
            if (!contains) {
                traceBuffer.append("EC JWK [" + curve + "] curve not allowed for algorithm [" + str + "] allowed " + forJWSAlgorithm + ".", new Object[0]);
            }
            return contains;
        } catch (Exception e) {
            Supplier supplier = () -> {
                return Strings.format("Unexpected exception while matching JWK with kid [%s] to it's algorithm requirement.", new Object[]{jwk.getKeyID()});
            };
            if (logger.isTraceEnabled()) {
                logger.trace((String) supplier.get(), e);
                return false;
            }
            logger.debug((String) supplier.get());
            return false;
        }
    }

    static int computeBitLengthRsa(PublicKey publicKey) throws Exception {
        if (publicKey instanceof RSAPublicKey) {
            return (((((RSAPublicKey) publicKey).getModulus().bitLength() + 8) - 1) / 8) * 8;
        }
        if (publicKey == null) {
            throw new Exception("Expected public key class [RSAPublicKey]. Got [null] instead.");
        }
        throw new Exception("Expected public key class [RSAPublicKey]. Got [" + publicKey.getClass().getSimpleName() + "] instead.");
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static List<JWK> loadJwksFromJwkSetString(String str, CharSequence charSequence) throws SettingsException {
        if (!org.elasticsearch.common.Strings.hasText(charSequence)) {
            return Collections.emptyList();
        }
        try {
            return JWKSet.parse(charSequence.toString()).getKeys();
        } catch (Exception e) {
            throw new SettingsException("JWKSet parse failed for setting [" + str + "]", e);
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static OctetSequenceKey loadHmacJwkFromJwkString(String str, CharSequence charSequence) {
        if (!org.elasticsearch.common.Strings.hasText(charSequence)) {
            return null;
        }
        try {
            return buildHmacKeyFromString(charSequence);
        } catch (Exception e) {
            throw new SettingsException("HMAC Key parse failed for setting [" + str + "]", e);
        }
    }

    static OctetSequenceKey buildHmacKeyFromString(CharSequence charSequence) {
        return new OctetSequenceKey.Builder(charSequence.toString().getBytes(StandardCharsets.UTF_8)).build();
    }
}
