package com.cybersource.authsdk.jwtsecurity;

import com.cybersource.authsdk.util.GlobalLabelParameters;
import com.google.gson.GsonBuilder;
import com.nimbusds.jose.EncryptionMethod;
import com.nimbusds.jose.JOSEException;
import com.nimbusds.jose.JOSEObject;
import com.nimbusds.jose.JWEAlgorithm;
import com.nimbusds.jose.JWEHeader;
import com.nimbusds.jose.JWEObject;
import com.nimbusds.jose.JWSAlgorithm;
import com.nimbusds.jose.JWSHeader;
import com.nimbusds.jose.JWSObject;
import com.nimbusds.jose.Payload;
import com.nimbusds.jose.crypto.RSADecrypter;
import com.nimbusds.jose.crypto.RSAEncrypter;
import com.nimbusds.jose.crypto.RSASSASigner;
import com.nimbusds.jose.crypto.RSASSAVerifier;
import com.nimbusds.jose.util.Base64;
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.math.BigInteger;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.security.PrivateKey;
import java.security.cert.CertificateEncodingException;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.security.interfaces.RSAPrivateKey;
import java.security.interfaces.RSAPublicKey;
import java.text.ParseException;
import java.util.ArrayList;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Optional;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;

/* loaded from: input_file:com/cybersource/authsdk/jwtsecurity/JWTCryptoProcessorImpl.class */
public class JWTCryptoProcessorImpl implements CryptoProcessor {
    public static String MERCHANT_ID = GlobalLabelParameters.V_C_MERCHANTID;
    private static Logger logger = LogManager.getLogger(JWTCryptoProcessorImpl.class);

    private JWEObject decryptPayload(String str, PrivateKey privateKey) {
        if (isNullOrEmpty(str) || privateKey == null) {
            logger.error("JWE String or Private Key is null or empty");
            return null;
        }
        try {
            JWEObject parse = JWEObject.parse(str);
            parse.decrypt(new RSADecrypter(privateKey));
            if (JWEObject.State.DECRYPTED.equals(parse.getState())) {
                return null;
            }
            logger.error("Payload : \"" + str + "\" cannot be decrypted");
            return null;
        } catch (IllegalArgumentException | JOSEException | ParseException e) {
            logger.error("JWT payload : \"" + str + "\" cannot be decrypted");
            logger.error(e);
            return null;
        }
    }

    private JOSEObject encryptPayload(String str, X509Certificate x509Certificate, Map<String, Object> map) {
        String bigInteger;
        if (isNullOrEmpty(str) || x509Certificate == null) {
            logger.error("Payload Content or Public Certificate is null or empty");
            return null;
        }
        String upperCase = x509Certificate.getSubjectDN().getName().toUpperCase();
        int indexOf = upperCase.indexOf("SERIALNUMBER=");
        if (indexOf >= 0) {
            int indexOf2 = upperCase.indexOf(",", indexOf);
            if (indexOf2 == -1) {
                indexOf2 = upperCase.length();
            }
            bigInteger = upperCase.substring(indexOf + "SERIALNUMBER=".length(), indexOf2);
        } else {
            bigInteger = x509Certificate.getSerialNumber().toString();
        }
        ArrayList arrayList = new ArrayList();
        try {
            arrayList.add(Base64.encode(x509Certificate.getEncoded()));
            JWEObject jWEObject = new JWEObject(new JWEHeader.Builder(JWEAlgorithm.RSA_OAEP, EncryptionMethod.A256GCM).customParams(map).contentType(GlobalLabelParameters.JWT).keyID(bigInteger).x509CertChain(arrayList).build(), new Payload(str));
            try {
                RSAEncrypter rSAEncrypter = new RSAEncrypter((RSAPublicKey) x509Certificate.getPublicKey());
                if (JWEObject.State.ENCRYPTED.equals(jWEObject.getState())) {
                    logger.error("Payload is already encrypted");
                    return null;
                }
                jWEObject.encrypt(rSAEncrypter);
                if (JWEObject.State.ENCRYPTED.equals(jWEObject.getState())) {
                    return jWEObject;
                }
                logger.error("Payload cannot be encrypted");
                return null;
            } catch (JOSEException e) {
                logger.error("JOSEException : Payload encryption failed\n" + e);
                return null;
            }
        } catch (CertificateEncodingException e2) {
            logger.error("CertificateEncodingException : Payload cannot be signed or encrypted\n" + e2);
            return null;
        }
    }

    @Override // com.cybersource.authsdk.jwtsecurity.CryptoProcessor
    public String encrypt(String str, X509Certificate x509Certificate) {
        return serializeToken(encryptPayload(str, x509Certificate, null));
    }

    @Override // com.cybersource.authsdk.jwtsecurity.CryptoProcessor
    public String encrypt(String str, X509Certificate x509Certificate, Map<String, Object> map) {
        return serializeToken(encryptPayload(str, x509Certificate, map));
    }

    @Override // com.cybersource.authsdk.jwtsecurity.CryptoProcessor
    public String signAndEncrypt(String str, PrivateKey privateKey, X509Certificate x509Certificate, X509Certificate x509Certificate2) {
        return serializeToken(encryptPayload(serializeToken(signPayload(str, privateKey, x509Certificate, null)), x509Certificate2, null));
    }

    @Override // com.cybersource.authsdk.jwtsecurity.CryptoProcessor
    public String signAndEncrypt(String str, PrivateKey privateKey, X509Certificate x509Certificate, X509Certificate x509Certificate2, Map<String, Object> map) {
        return serializeToken(encryptPayload(serializeToken(signPayload(str, privateKey, x509Certificate, map)), x509Certificate2, map));
    }

    @Override // com.cybersource.authsdk.jwtsecurity.CryptoProcessor
    public String sign(String str, PrivateKey privateKey, X509Certificate x509Certificate) {
        return serializeToken(signPayload(str, privateKey, x509Certificate, null));
    }

    @Override // com.cybersource.authsdk.jwtsecurity.CryptoProcessor
    public String sign(String str, PrivateKey privateKey, X509Certificate x509Certificate, Map<String, Object> map) {
        return serializeToken(signPayload(str, privateKey, x509Certificate, map));
    }

    private JOSEObject signPayload(String str, PrivateKey privateKey, X509Certificate x509Certificate, Map<String, Object> map) {
        String bigInteger;
        if (isNullOrEmpty(str) || x509Certificate == null || privateKey == null) {
            logger.error("Payload Content or Public Certificate or Private Key is null or empty");
            return null;
        }
        String upperCase = x509Certificate.getSubjectDN().getName().toUpperCase();
        int indexOf = upperCase.indexOf("SERIALNUMBER=");
        if (indexOf >= 0) {
            int indexOf2 = upperCase.indexOf(",", indexOf);
            if (indexOf2 == -1) {
                indexOf2 = upperCase.length();
            }
            bigInteger = upperCase.substring(indexOf + "SERIALNUMBER=".length(), indexOf2);
        } else {
            bigInteger = x509Certificate.getSerialNumber().toString();
        }
        ArrayList arrayList = new ArrayList();
        try {
            arrayList.add(Base64.encode(x509Certificate.getEncoded()));
            RSAPrivateKey rSAPrivateKey = (RSAPrivateKey) privateKey;
            JWSObject jWSObject = new JWSObject(new JWSHeader.Builder(JWSAlgorithm.RS256).customParams(map).keyID(bigInteger).x509CertChain(arrayList).build(), new Payload(str));
            try {
                jWSObject.sign(new RSASSASigner(rSAPrivateKey));
                if (jWSObject.getState().equals(JWSObject.State.SIGNED)) {
                    return jWSObject;
                }
                logger.error("Payload signing failed.");
                return null;
            } catch (JOSEException e) {
                logger.error("JOSEException : Payload cannot be signed or encrypted\n" + e);
                return null;
            }
        } catch (CertificateEncodingException e2) {
            logger.error("CertificateEncodingException : Payload cannot be signed or encrypted\n" + e2);
            return null;
        }
    }

    @Override // com.cybersource.authsdk.jwtsecurity.CryptoProcessor
    public String decrypt(String str, PrivateKey privateKey) {
        return getPayload((JOSEObject) decryptPayload(str, privateKey));
    }

    @Override // com.cybersource.authsdk.jwtsecurity.CryptoProcessor
    public String decryptAndValidateSignature(String str, PrivateKey privateKey, X509Certificate x509Certificate) {
        return validateSignature(decryptPayload(str, privateKey).getPayload().toString(), x509Certificate);
    }

    @Override // com.cybersource.authsdk.jwtsecurity.CryptoProcessor
    public String validateSignature(String str, X509Certificate x509Certificate) {
        if (isNullOrEmpty(str) || x509Certificate == null) {
            logger.error("JWS or Public Certificate is null or empty");
            return null;
        }
        try {
            JWSObject parse = JWSObject.parse(str);
            if (x509Certificate.getPublicKey() == null) {
                return null;
            }
            if (parse.verify(new RSASSAVerifier((RSAPublicKey) x509Certificate.getPublicKey()))) {
                return getPayload((JOSEObject) null);
            }
            logger.error("Signature cannot be verified");
            return null;
        } catch (JOSEException | ParseException e) {
            logger.error("JWT Token cannot be parsed or verified\n" + e);
            return null;
        }
    }

    @Override // com.cybersource.authsdk.jwtsecurity.CryptoProcessor
    public String validateSignature(String str, byte[] bArr) {
        if (isNullOrEmpty(str) || bArr == null) {
            logger.error("JWS or Public Certificate is null or empty");
            return null;
        }
        try {
            ByteArrayInputStream byteArrayInputStream = new ByteArrayInputStream(bArr);
            Throwable th = null;
            try {
                try {
                    if (byteArrayInputStream != null) {
                        if (0 != 0) {
                            try {
                                byteArrayInputStream.close();
                            } catch (Throwable th2) {
                                th.addSuppressed(th2);
                            }
                        } else {
                            byteArrayInputStream.close();
                        }
                    }
                    return validateSignature(str, (X509Certificate) null);
                } finally {
                }
            } catch (Throwable th3) {
                if (byteArrayInputStream != null) {
                    if (th != null) {
                        try {
                            byteArrayInputStream.close();
                        } catch (Throwable th4) {
                            th.addSuppressed(th4);
                        }
                    } else {
                        byteArrayInputStream.close();
                    }
                }
                throw th3;
            }
        } catch (IOException e) {
            logger.error("IOException : Unable to close input stream object\n" + e);
            return null;
        } catch (CertificateException e2) {
            logger.error("CertificateException : Cannot create certificate from encoded certificate string\n" + e2);
            return null;
        }
    }

    @Override // com.cybersource.authsdk.jwtsecurity.CryptoProcessor
    public String getPayload(String str) {
        if (isNullOrEmpty(str)) {
            logger.error("JWS is null or empty");
            return null;
        }
        try {
            return getPayload(JOSEObject.parse(str));
        } catch (ParseException e) {
            logger.error("ParseException : Cannot verify or parse JWT Token\n" + e);
            return null;
        }
    }

    @Override // com.cybersource.authsdk.jwtsecurity.CryptoProcessor
    public boolean isValidSignature(String str, X509Certificate x509Certificate) {
        if (isNullOrEmpty(str) || x509Certificate == null) {
            return false;
        }
        try {
            JWSObject parse = JWSObject.parse(str);
            if (x509Certificate.getPublicKey() == null) {
                return false;
            }
            return parse.verify(new RSASSAVerifier((RSAPublicKey) x509Certificate.getPublicKey()));
        } catch (JOSEException | ParseException e) {
            logger.error("Cannot verify or parse JWT Token\n" + e);
            return false;
        }
    }

    @Override // com.cybersource.authsdk.jwtsecurity.CryptoProcessor
    public boolean isValidSignature(String str, byte[] bArr) {
        if (isNullOrEmpty(str) || bArr == null) {
            logger.error("JWS or Public Certificate is null or empty");
            return false;
        }
        try {
            ByteArrayInputStream byteArrayInputStream = new ByteArrayInputStream(bArr);
            Throwable th = null;
            try {
                try {
                    X509Certificate x509Certificate = (X509Certificate) CertificateFactory.getInstance("X.509").generateCertificate(byteArrayInputStream);
                    if (byteArrayInputStream != null) {
                        if (0 != 0) {
                            try {
                                byteArrayInputStream.close();
                            } catch (Throwable th2) {
                                th.addSuppressed(th2);
                            }
                        } else {
                            byteArrayInputStream.close();
                        }
                    }
                    return isValidSignature(str, x509Certificate);
                } finally {
                }
            } finally {
            }
        } catch (IOException e) {
            logger.error("IOException : Unable to close input stream object\n" + e);
            return false;
        } catch (CertificateException e2) {
            logger.error("CertificateException : Cannot create certificate from encoded certificate string\n" + e2);
            return false;
        }
    }

    private String serializeToken(JOSEObject jOSEObject) {
        return jOSEObject.serialize();
    }

    private String getPayload(JOSEObject jOSEObject) {
        if (Optional.of(jOSEObject.getPayload()).isPresent()) {
            return jOSEObject.getPayload().toString();
        }
        return null;
    }

    @Override // com.cybersource.authsdk.jwtsecurity.CryptoProcessor
    public BigInteger getModulus(String str) {
        try {
            if (isNullOrEmpty(str)) {
                return null;
            }
            JWSObject parse = JOSEObject.parse(str);
            if (parse instanceof JWSObject) {
                return (BigInteger) parse.getHeader().getCustomParam("modulus");
            }
            if (parse instanceof JWEObject) {
                return (BigInteger) ((JWEObject) parse).getHeader().getCustomParam("modulus");
            }
            logger.error("Unknown JWT authentication type, not signed, not encrypted");
            return null;
        } catch (ParseException e) {
            logger.error("ParseException : Cannot verify or parse JWT Token\n" + e);
            return null;
        }
    }

    @Override // com.cybersource.authsdk.jwtsecurity.CryptoProcessor
    public String getCustomParam(String str, String str2) {
        try {
            if (isNullOrEmpty(str)) {
                logger.error("JWT Payload is null or empty");
                return null;
            }
            JOSEObject parse = JOSEObject.parse(str);
            if (!(parse instanceof JWSObject) && !(parse instanceof JWEObject)) {
                logger.error("Unknown JWT authentication type, not signed, not encrypted");
                return null;
            }
            return (String) parse.getHeader().getCustomParam(str2);
        } catch (ParseException e) {
            logger.error("ParseException : Cannot verify or parse JWT Token\n" + e);
            return null;
        }
    }

    @Override // com.cybersource.authsdk.jwtsecurity.CryptoProcessor
    public String getKid(String str) {
        try {
            return getKid(JOSEObject.parse(str));
        } catch (ParseException e) {
            logger.error("ParseException : Cannot verify or parse JWT Token\n" + e);
            return null;
        }
    }

    public String getKid(JOSEObject jOSEObject) {
        if (jOSEObject instanceof JWSObject) {
            return ((JWSObject) jOSEObject).getHeader().getKeyID();
        }
        if (jOSEObject instanceof JWEObject) {
            return ((JWEObject) jOSEObject).getHeader().getKeyID();
        }
        logger.error("Unknown JWT authentication type, not signed, not encrypted");
        return null;
    }

    @Override // com.cybersource.authsdk.jwtsecurity.CryptoProcessor
    public boolean isEncrypted(String str) {
        try {
            return isEncrypted(JOSEObject.parse(str));
        } catch (ParseException e) {
            logger.error("ParseException : Cannot verify or parse JWT Token\n" + e);
            return false;
        }
    }

    public boolean isEncrypted(JOSEObject jOSEObject) {
        if (jOSEObject instanceof JWSObject) {
            return false;
        }
        if (jOSEObject instanceof JWEObject) {
            return JWEObject.State.ENCRYPTED == ((JWEObject) jOSEObject).getState();
        }
        logger.error("Unknown JWT authentication type, not signed, not encrypted");
        return false;
    }

    @Override // com.cybersource.authsdk.jwtsecurity.CryptoProcessor
    public String getSerialNumber(String str, String str2) {
        try {
            return getSerialNumber(JOSEObject.parse(str), str2);
        } catch (ParseException e) {
            logger.error("ParseException : Cannot verify or parse JWT Token\n" + e);
            return null;
        }
    }

    public String getSerialNumber(JOSEObject jOSEObject, String str) {
        List x509CertChain;
        if (jOSEObject == null || isNullOrEmpty(str)) {
            logger.error("JOSE object or Certificate Issuer Common Name is null or empty");
            return null;
        }
        if (jOSEObject instanceof JWSObject) {
            x509CertChain = ((JWSObject) jOSEObject).getHeader().getX509CertChain();
        } else {
            if (!(jOSEObject instanceof JWEObject)) {
                logger.error("Unknown JWT authentication type, not signed, not encrypted");
                return null;
            }
            x509CertChain = ((JWEObject) jOSEObject).getHeader().getX509CertChain();
        }
        Iterator it = x509CertChain.iterator();
        while (it.hasNext()) {
            try {
                ByteArrayInputStream byteArrayInputStream = new ByteArrayInputStream(((Base64) it.next()).decode());
                Throwable th = null;
                try {
                    try {
                        X509Certificate x509Certificate = (X509Certificate) CertificateFactory.getInstance("X.509").generateCertificate(byteArrayInputStream);
                        if (str.equalsIgnoreCase(x509Certificate.getIssuerX500Principal().getName().split("=")[1])) {
                            String str2 = x509Certificate.getSubjectDN().getName().split(",")[0].split("=")[1];
                            if (byteArrayInputStream != null) {
                                if (0 != 0) {
                                    try {
                                        byteArrayInputStream.close();
                                    } catch (Throwable th2) {
                                        th.addSuppressed(th2);
                                    }
                                } else {
                                    byteArrayInputStream.close();
                                }
                            }
                            return str2;
                        }
                        if (byteArrayInputStream != null) {
                            if (0 != 0) {
                                try {
                                    byteArrayInputStream.close();
                                } catch (Throwable th3) {
                                    th.addSuppressed(th3);
                                }
                            } else {
                                byteArrayInputStream.close();
                            }
                        }
                    } finally {
                    }
                } catch (Throwable th4) {
                    if (byteArrayInputStream != null) {
                        if (th != null) {
                            try {
                                byteArrayInputStream.close();
                            } catch (Throwable th5) {
                                th.addSuppressed(th5);
                            }
                        } else {
                            byteArrayInputStream.close();
                        }
                    }
                    throw th4;
                }
            } catch (IOException e) {
                logger.error("IOException : Unable to close input stream object\n" + e);
                return null;
            } catch (CertificateException e2) {
                logger.error("CertificateException : Cannot create certificate from encoded certificate string\n" + e2);
                return null;
            }
        }
        logger.error("No Certificate chain available in JWT x5c header");
        return null;
    }

    @Override // com.cybersource.authsdk.jwtsecurity.CryptoProcessor
    public AuthAttributes getAuthAttributes(String str, String str2) {
        if (isNullOrEmpty(str)) {
            logger.error("JWT String is null or empty");
            return null;
        }
        try {
            JOSEObject parse = JOSEObject.parse(str);
            AuthAttributes authAttributes = new AuthAttributes();
            authAttributes.setIsEncrypted(isEncrypted(parse));
            if (authAttributes.isEncrypted) {
                authAttributes.setRecipientSerialNumber(getKid(parse));
                authAttributes.setSenderSerialNumber(null);
            } else {
                authAttributes.setRecipientSerialNumber(null);
                authAttributes.setSenderSerialNumber(getKid(parse));
            }
            return authAttributes;
        } catch (ParseException e) {
            logger.error("ParseException : Cannot verify or parse JWT Token\n" + e);
            return null;
        }
    }

    private boolean isNullOrEmpty(String str) {
        return str == null || str.trim().length() == 0;
    }

    public boolean isNotEmpty(String str) {
        return !isNullOrEmpty(str);
    }

    public boolean validateBodyDigest(String str, String str2) {
        try {
            return java.util.Base64.getEncoder().encodeToString(MessageDigest.getInstance("SHA-256").digest(str.getBytes())).equals(str2);
        } catch (NoSuchAlgorithmException e) {
            logger.error("NoSuchAlgorithmException : Couldn't instantiate SHA-256 digest\n" + e);
            return false;
        }
    }

    @Override // com.cybersource.authsdk.jwtsecurity.CryptoProcessor
    public JWTPayload getJWTPayload(String str) {
        return (JWTPayload) new GsonBuilder().create().fromJson(getPayload(str), JWTPayload.class);
    }

    @Override // com.cybersource.authsdk.jwtsecurity.CryptoProcessor
    public String createBodyDigest(String str) {
        try {
            return java.util.Base64.getEncoder().encodeToString(MessageDigest.getInstance("SHA-256").digest(str.getBytes()));
        } catch (NoSuchAlgorithmException e) {
            logger.error("NoSuchAlgorithmException : Couldn't instantiate SHA-256 digest\n" + e);
            return null;
        }
    }
}
