package io.jans.as.model.jwe;

import com.nimbusds.jose.JWEDecrypter;
import com.nimbusds.jose.crypto.factories.DefaultJWEDecrypterFactory;
import com.nimbusds.jwt.EncryptedJWT;
import com.nimbusds.jwt.SignedJWT;
import io.jans.as.model.crypto.encryption.BlockEncryptionAlgorithm;
import io.jans.as.model.crypto.encryption.KeyEncryptionAlgorithm;
import io.jans.as.model.crypto.signature.SignatureAlgorithm;
import io.jans.as.model.exception.InvalidJweException;
import io.jans.as.model.exception.InvalidJwtException;
import io.jans.as.model.jwt.Jwt;
import io.jans.as.model.jwt.JwtClaims;
import io.jans.as.model.jwt.JwtHeader;
import io.jans.as.model.util.SecurityProviderUtility;
import java.security.Key;
import java.security.MessageDigest;
import java.security.PrivateKey;
import java.util.Arrays;
import javax.crypto.spec.SecretKeySpec;

/* loaded from: input_file:io/jans/as/model/jwe/JweDecrypterImpl.class */
public class JweDecrypterImpl extends AbstractJweDecrypter {
    private static final DefaultJWEDecrypterFactory DECRYPTER_FACTORY = new DefaultJWEDecrypterFactory();
    private PrivateKey privateKey;
    private byte[] sharedSymmetricKey;
    private boolean fapi;

    public boolean isFapi() {
        return this.fapi;
    }

    public void setFapi(boolean z) {
        this.fapi = z;
    }

    public JweDecrypterImpl(byte[] bArr) {
        if (bArr != null) {
            this.sharedSymmetricKey = (byte[]) bArr.clone();
        }
    }

    public JweDecrypterImpl(PrivateKey privateKey) {
        this.privateKey = privateKey;
    }

    @Override // io.jans.as.model.jwe.JweDecrypter
    public Jwe decrypt(String str) throws InvalidJweException {
        Key key;
        try {
            String[] split = str.split("\\.");
            if (split.length != 5) {
                throw new InvalidJwtException("Invalid JWS format.");
            }
            String str2 = split[0];
            String str3 = split[1];
            String str4 = split[2];
            String str5 = split[3];
            String str6 = split[4];
            Jwe jwe = new Jwe();
            jwe.setEncodedHeader(str2);
            jwe.setEncodedEncryptedKey(str3);
            jwe.setEncodedInitializationVector(str4);
            jwe.setEncodedCiphertext(str5);
            jwe.setEncodedIntegrityValue(str6);
            jwe.setHeader(new JwtHeader(str2));
            EncryptedJWT parse = EncryptedJWT.parse(str);
            setKeyEncryptionAlgorithm(KeyEncryptionAlgorithm.fromName(jwe.getHeader().getClaimAsString("alg")));
            setBlockEncryptionAlgorithm(BlockEncryptionAlgorithm.fromName(jwe.getHeader().getClaimAsString("enc")));
            KeyEncryptionAlgorithm keyEncryptionAlgorithm = getKeyEncryptionAlgorithm();
            if (keyEncryptionAlgorithm == KeyEncryptionAlgorithm.RSA1_5 || keyEncryptionAlgorithm == KeyEncryptionAlgorithm.RSA_OAEP) {
                key = this.privateKey;
            } else {
                if (keyEncryptionAlgorithm != KeyEncryptionAlgorithm.A128KW && keyEncryptionAlgorithm != KeyEncryptionAlgorithm.A256KW) {
                    throw new InvalidJweException("The key encryption algorithm is not supported");
                }
                if (this.sharedSymmetricKey == null) {
                    throw new InvalidJweException("The shared symmetric key is null");
                }
                int i = 16;
                if (keyEncryptionAlgorithm == KeyEncryptionAlgorithm.A256KW) {
                    i = 32;
                }
                if (this.sharedSymmetricKey.length != i) {
                    this.sharedSymmetricKey = MessageDigest.getInstance("SHA-256").digest(this.sharedSymmetricKey);
                    this.sharedSymmetricKey = Arrays.copyOf(this.sharedSymmetricKey, i);
                }
                key = new SecretKeySpec(this.sharedSymmetricKey, 0, this.sharedSymmetricKey.length, "AES");
            }
            JWEDecrypter createJWEDecrypter = DECRYPTER_FACTORY.createJWEDecrypter(parse.getHeader(), key);
            createJWEDecrypter.getJCAContext().setProvider(SecurityProviderUtility.getInstance());
            parse.decrypt(createJWEDecrypter);
            SignedJWT signedJWT = parse.getPayload().toSignedJWT();
            if (signedJWT != null) {
                Jwt parse2 = Jwt.parse(signedJWT.serialize());
                jwe.setSignedJWTPayload(parse2);
                jwe.setClaims(parse2.getClaims());
            } else {
                String payload = parse.getPayload().toString();
                validateNestedJwt(payload);
                jwe.setClaims(new JwtClaims(payload));
            }
            return jwe;
        } catch (Exception e) {
            throw new InvalidJweException(e);
        }
    }

    private void validateNestedJwt(String str) throws InvalidJwtException {
        Jwt parseSilently = Jwt.parseSilently(str);
        if (parseSilently != null && parseSilently.getHeader().getSignatureAlgorithm() == SignatureAlgorithm.NONE && isFapi()) {
            throw new InvalidJwtException("The None algorithm in nested JWT is not allowed for FAPI");
        }
    }
}
