package no.nav.security.token.support.client.core.auth;

import com.nimbusds.jose.JOSEException;
import com.nimbusds.jose.JOSEObjectType;
import com.nimbusds.jose.JWSAlgorithm;
import com.nimbusds.jose.JWSHeader;
import com.nimbusds.jose.crypto.RSASSASigner;
import com.nimbusds.jose.jwk.RSAKey;
import com.nimbusds.jwt.JWTClaimsSet;
import com.nimbusds.jwt.SignedJWT;
import java.net.URI;
import java.sql.Date;
import java.time.Instant;
import java.util.UUID;
import javax.validation.constraints.NotNull;
import no.nav.security.token.support.client.core.ClientAuthenticationProperties;

/* loaded from: input_file:no/nav/security/token/support/client/core/auth/ClientAssertion.class */
public class ClientAssertion {
    private static final int EXPIRY_IN_SECONDS = 60;
    private final URI tokenEndpointUrl;
    private final String clientId;
    private final RSAKey rsaKey;
    private final int expiryInSeconds;

    public ClientAssertion(@NotNull URI uri, @NotNull ClientAuthenticationProperties clientAuthenticationProperties) {
        this(uri, clientAuthenticationProperties.getClientId(), clientAuthenticationProperties.getClientRsaKey(), EXPIRY_IN_SECONDS);
    }

    public ClientAssertion(URI uri, String str, RSAKey rSAKey, int i) {
        this.tokenEndpointUrl = uri;
        this.rsaKey = rSAKey;
        this.clientId = str;
        this.expiryInSeconds = i;
    }

    public String assertion() {
        Instant now = Instant.now();
        return createSignedJWT(this.rsaKey, new JWTClaimsSet.Builder().audience(this.tokenEndpointUrl.toString()).expirationTime(Date.from(now.plusSeconds(this.expiryInSeconds))).issuer(this.clientId).subject(this.clientId).claim("jti", UUID.randomUUID().toString()).notBeforeTime(Date.from(now)).build()).serialize();
    }

    public String assertionType() {
        return "urn:ietf:params:oauth:client-assertion-type:jwt-bearer";
    }

    private SignedJWT createSignedJWT(RSAKey rSAKey, JWTClaimsSet jWTClaimsSet) {
        try {
            SignedJWT signedJWT = new SignedJWT(new JWSHeader.Builder(JWSAlgorithm.RS256).keyID(rSAKey.getKeyID()).type(JOSEObjectType.JWT).build(), jWTClaimsSet);
            signedJWT.sign(new RSASSASigner(rSAKey.toPrivateKey()));
            return signedJWT;
        } catch (JOSEException e) {
            throw new RuntimeException((Throwable) e);
        }
    }
}
