package com.atlassian.asap.nimbus.serializer;

import com.atlassian.asap.api.AlgorithmType;
import com.atlassian.asap.api.Jwt;
import com.atlassian.asap.api.JwtClaims;
import com.atlassian.asap.api.SigningAlgorithm;
import com.atlassian.asap.core.SecurityProvider;
import com.atlassian.asap.core.exception.SigningException;
import com.atlassian.asap.core.exception.UnsupportedAlgorithmException;
import com.atlassian.asap.core.serializer.JwtSerializer;
import com.google.common.annotations.VisibleForTesting;
import com.nimbusds.jose.JOSEException;
import com.nimbusds.jose.JWSAlgorithm;
import com.nimbusds.jose.JWSHeader;
import com.nimbusds.jose.JWSObject;
import com.nimbusds.jose.JWSSigner;
import com.nimbusds.jose.Payload;
import com.nimbusds.jose.crypto.ECDSASigner;
import com.nimbusds.jose.crypto.RSASSASigner;
import java.security.PrivateKey;
import java.security.Provider;
import java.security.interfaces.ECPrivateKey;
import java.security.interfaces.RSAPrivateKey;
import net.minidev.json.JSONObject;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:WEB-INF/atlassian-bundled-plugins/atlassian-connect-server-plugin-2.0.0-39bf8e4.jar:com/atlassian/asap/nimbus/serializer/NimbusJwtSerializer.class */
public class NimbusJwtSerializer implements JwtSerializer {
    private static final Logger logger = LoggerFactory.getLogger((Class<?>) NimbusJwtSerializer.class);
    private final Provider provider;

    public NimbusJwtSerializer() {
        this(SecurityProvider.getProvider());
    }

    public NimbusJwtSerializer(Provider provider) {
        this.provider = provider;
    }

    @Override // com.atlassian.asap.core.serializer.JwtSerializer
    public String serialize(Jwt jwt, PrivateKey privateKey) throws SigningException, UnsupportedAlgorithmException {
        return getSignedJwsObject(jwt, privateKey).serialize();
    }

    @VisibleForTesting
    JWSObject getSignedJwsObject(Jwt jwt, PrivateKey privateKey) throws UnsupportedAlgorithmException {
        SigningAlgorithm algorithm = jwt.getHeader().getAlgorithm();
        JWSObject jWSObject = new JWSObject(new JWSHeader.Builder(JWSAlgorithm.parse(algorithm.name())).keyID(jwt.getHeader().getKeyId()).build(), new Payload(toJsonPayload(jwt.getClaims())));
        try {
            jWSObject.sign(getSigner(algorithm, privateKey));
            return jWSObject;
        } catch (JOSEException e) {
            logger.error("Unexpected error when signing JWT token", (Throwable) e);
            throw new SigningException();
        }
    }

    private JWSSigner getSigner(SigningAlgorithm signingAlgorithm, PrivateKey privateKey) throws UnsupportedAlgorithmException {
        if ((signingAlgorithm.type() == AlgorithmType.RSA || signingAlgorithm.type() == AlgorithmType.RSASSA_PSS) && (privateKey instanceof RSAPrivateKey)) {
            return createRSASSASignerForKey((RSAPrivateKey) privateKey);
        }
        if (signingAlgorithm.type() == AlgorithmType.ECDSA && (privateKey instanceof ECPrivateKey)) {
            return createECDSASignerForKey((ECPrivateKey) privateKey);
        }
        throw new UnsupportedAlgorithmException(String.format("Unsupported algorithm %s or signing key type", signingAlgorithm.name()));
    }

    @VisibleForTesting
    protected JWSSigner createRSASSASignerForKey(RSAPrivateKey rSAPrivateKey) {
        RSASSASigner rSASSASigner = new RSASSASigner(rSAPrivateKey);
        rSASSASigner.setProvider(this.provider);
        return rSASSASigner;
    }

    @VisibleForTesting
    protected JWSSigner createECDSASignerForKey(ECPrivateKey eCPrivateKey) {
        ECDSASigner eCDSASigner = new ECDSASigner(eCPrivateKey.getS());
        eCDSASigner.setProvider(this.provider);
        return eCDSASigner;
    }

    private static JSONObject toJsonPayload(JwtClaims jwtClaims) {
        JSONObject jSONObject = new JSONObject();
        jSONObject.put(JwtClaims.Claim.ISSUER.key(), jwtClaims.getIssuer());
        if (jwtClaims.getSubject().isPresent()) {
            jSONObject.put(JwtClaims.Claim.SUBJECT.key(), jwtClaims.getSubject().get());
        }
        if (jwtClaims.getAudience().size() == 1) {
            jSONObject.put(JwtClaims.Claim.AUDIENCE.key(), jwtClaims.getAudience().iterator().next());
        } else {
            jSONObject.put(JwtClaims.Claim.AUDIENCE.key(), jwtClaims.getAudience());
        }
        jSONObject.put(JwtClaims.Claim.JWT_ID.key(), jwtClaims.getJwtId());
        jSONObject.put(JwtClaims.Claim.ISSUED_AT.key(), Long.valueOf(jwtClaims.getIssuedAt().getEpochSecond()));
        jSONObject.put(JwtClaims.Claim.EXPIRY.key(), Long.valueOf(jwtClaims.getExpiry().getEpochSecond()));
        if (jwtClaims.getNotBefore().isPresent()) {
            jSONObject.put(JwtClaims.Claim.NOT_BEFORE.key(), Long.valueOf(jwtClaims.getNotBefore().get().getEpochSecond()));
        }
        return jSONObject;
    }
}
