package io.corbel.iam.jwt;

import io.corbel.iam.model.ClientCredential;
import io.corbel.iam.repository.ClientRepository;
import java.security.InvalidKeyException;
import java.security.KeyFactory;
import java.security.NoSuchAlgorithmException;
import java.security.PublicKey;
import java.security.spec.InvalidKeySpecException;
import java.security.spec.X509EncodedKeySpec;
import java.util.Arrays;
import java.util.List;
import net.oauth.jsontoken.crypto.HmacSHA256Verifier;
import net.oauth.jsontoken.crypto.RsaSHA256Verifier;
import net.oauth.jsontoken.crypto.Verifier;
import net.oauth.jsontoken.discovery.VerifierProvider;
import org.bouncycastle.util.encoders.Base64;
import org.bouncycastle.util.encoders.DecoderException;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:io/corbel/iam/jwt/ClientVerifierProvider.class */
public class ClientVerifierProvider implements VerifierProvider {
    private static final Logger LOG = LoggerFactory.getLogger(ClientVerifierProvider.class);
    private final ClientRepository clientRepository;

    public ClientVerifierProvider(ClientRepository clientRepository) {
        this.clientRepository = clientRepository;
    }

    public List<Verifier> findVerifier(String str, String str2) {
        ClientCredential findCredentialById = this.clientRepository.findCredentialById(str);
        if (findCredentialById == null) {
            return null;
        }
        try {
            return Arrays.asList(getVerifier(findCredentialById));
        } catch (InvalidKeyException | InvalidKeySpecException | DecoderException e) {
            LOG.error("Client {} contains invalid public key", new Object[]{str}, e);
            return null;
        }
    }

    private Verifier getVerifier(ClientCredential clientCredential) throws InvalidKeyException, InvalidKeySpecException {
        switch (clientCredential.getSignatureAlgorithm()) {
            case HS256:
                return getHmacVerifier(clientCredential);
            default:
                return getRsaVerifier(clientCredential);
        }
    }

    private Verifier getRsaVerifier(ClientCredential clientCredential) throws InvalidKeySpecException {
        return new RsaSHA256Verifier(getPublicKey(clientCredential));
    }

    private Verifier getHmacVerifier(ClientCredential clientCredential) throws InvalidKeyException {
        return new HmacSHA256Verifier(clientCredential.getKey().getBytes());
    }

    private PublicKey getPublicKey(ClientCredential clientCredential) throws InvalidKeySpecException {
        try {
            return KeyFactory.getInstance("RSA").generatePublic(new X509EncodedKeySpec(decodedPublicKey(clientCredential)));
        } catch (NoSuchAlgorithmException e) {
            return null;
        }
    }

    private byte[] decodedPublicKey(ClientCredential clientCredential) {
        return Base64.decode(clientCredential.getKey());
    }
}
