package org.gcube.io.jsonwebtoken.impl.security;

import javax.crypto.SecretKey;
import javax.crypto.spec.SecretKeySpec;
import org.gcube.io.jsonwebtoken.Identifiable;
import org.gcube.io.jsonwebtoken.Jwts;
import org.gcube.io.jsonwebtoken.impl.lang.Bytes;
import org.gcube.io.jsonwebtoken.impl.lang.RequiredParameterReader;
import org.gcube.io.jsonwebtoken.io.Encoders;
import org.gcube.io.jsonwebtoken.lang.Assert;
import org.gcube.io.jsonwebtoken.lang.Strings;
import org.gcube.io.jsonwebtoken.security.AeadAlgorithm;
import org.gcube.io.jsonwebtoken.security.InvalidKeyException;
import org.gcube.io.jsonwebtoken.security.Keys;
import org.gcube.io.jsonwebtoken.security.MacAlgorithm;
import org.gcube.io.jsonwebtoken.security.MalformedKeyException;
import org.gcube.io.jsonwebtoken.security.SecretJwk;
import org.gcube.io.jsonwebtoken.security.SecretKeyAlgorithm;
import org.gcube.io.jsonwebtoken.security.WeakKeyException;

/* JADX INFO: Access modifiers changed from: package-private */
/* loaded from: input_file:WEB-INF/lib/gcube-jjwt-impl-0.12.6.jar:org/gcube/io/jsonwebtoken/impl/security/SecretJwkFactory.class */
public class SecretJwkFactory extends AbstractFamilyJwkFactory<SecretKey, SecretJwk> {
    /* JADX INFO: Access modifiers changed from: package-private */
    public SecretJwkFactory() {
        super("oct", SecretKey.class, DefaultSecretJwk.PARAMS);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    /* JADX WARN: Can't rename method to resolve collision */
    @Override // org.gcube.io.jsonwebtoken.impl.security.AbstractFamilyJwkFactory
    public SecretJwk createJwkFromKey(JwkContext<SecretKey> jwkContext) {
        InvalidKeyException invalidKeyException;
        SecretKey secretKey = (SecretKey) Assert.notNull(jwkContext.getKey(), "JwkContext key cannot be null.");
        byte[] bArr = null;
        try {
            try {
                bArr = KeysBridge.getEncoded(secretKey);
                String encode = Encoders.BASE64URL.encode(bArr);
                Assert.hasText(encode, "k value cannot be null or empty.");
                Bytes.clear(bArr);
                DefaultMacAlgorithm findByKey = DefaultMacAlgorithm.findByKey(secretKey);
                if (findByKey != null) {
                    jwkContext.put(AbstractJwk.ALG.getId(), findByKey.getId());
                }
                jwkContext.put(DefaultSecretJwk.K.getId(), encode);
                return createJwkFromValues(jwkContext);
            } finally {
            }
        } catch (Throwable th) {
            Bytes.clear(bArr);
            throw th;
        }
    }

    private static void assertKeyBitLength(byte[] bArr, MacAlgorithm macAlgorithm) {
        long bitLength = Bytes.bitLength(bArr);
        long keyBitLength = macAlgorithm.getKeyBitLength();
        if (bitLength < keyBitLength) {
            throw new WeakKeyException("Secret JWK " + AbstractJwk.ALG + " value is '" + macAlgorithm.getId() + "', but the " + DefaultSecretJwk.K + " length is smaller than the " + macAlgorithm.getId() + " minimum length of " + Bytes.bitsMsg(keyBitLength) + " required by [JWA RFC 7518, Section 3.2](https://www.rfc-editor.org/rfc/rfc7518.html#section-3.2), 2nd paragraph: 'A key of the same size as the hash output or larger MUST be used with this algorithm.'");
        }
    }

    private static void assertSymmetric(Identifiable identifiable) {
        if (!(identifiable instanceof MacAlgorithm) && !(identifiable instanceof SecretKeyAlgorithm) && !(identifiable instanceof AeadAlgorithm)) {
            throw new MalformedKeyException("Invalid Secret JWK " + AbstractJwk.ALG + " value '" + identifiable.getId() + "'. Secret JWKs may only be used with symmetric (secret) key algorithms.");
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    /* JADX WARN: Can't rename method to resolve collision */
    @Override // org.gcube.io.jsonwebtoken.impl.security.AbstractFamilyJwkFactory
    public SecretJwk createJwkFromValues(JwkContext<SecretKey> jwkContext) {
        SecretKey keyFor;
        byte[] bArr = (byte[]) new RequiredParameterReader(jwkContext).get(DefaultSecretJwk.K);
        String algorithm = jwkContext.getAlgorithm();
        if (!Strings.hasText(algorithm)) {
            jwkContext.setKey((jwkContext.isSigUse() || ((int) Bytes.bitLength(bArr)) > Jwts.SIG.HS256.getKeyBitLength()) ? Keys.hmacShaKeyFor(bArr) : AesAlgorithm.keyFor(bArr));
            return new DefaultSecretJwk(jwkContext);
        }
        Identifiable identifiable = Jwts.SIG.get().get(algorithm);
        if (identifiable == null) {
            identifiable = Jwts.KEY.get().get(algorithm);
        }
        if (identifiable == null) {
            identifiable = Jwts.ENC.get().get(algorithm);
        }
        if (identifiable != null) {
            assertSymmetric(identifiable);
        }
        if (identifiable instanceof MacAlgorithm) {
            assertKeyBitLength(bArr, (MacAlgorithm) identifiable);
            String jcaName = ((CryptoAlgorithm) identifiable).getJcaName();
            Assert.hasText(jcaName, "Algorithm jcaName cannot be null or empty.");
            keyFor = new SecretKeySpec(bArr, jcaName);
        } else {
            keyFor = AesAlgorithm.keyFor(bArr);
        }
        jwkContext.setKey(keyFor);
        return new DefaultSecretJwk(jwkContext);
    }
}
