package org.forgerock.openam.selfservice;

import java.security.KeyPair;
import javax.crypto.SecretKey;
import javax.inject.Inject;
import org.forgerock.json.jose.jwe.EncryptionMethod;
import org.forgerock.json.jose.jwe.JweAlgorithm;
import org.forgerock.json.jose.jws.JwsAlgorithm;
import org.forgerock.json.jose.jws.SigningManager;
import org.forgerock.openam.utils.AMKeyProvider;
import org.forgerock.selfservice.core.config.StageConfigException;
import org.forgerock.selfservice.core.snapshot.SnapshotTokenConfig;
import org.forgerock.selfservice.core.snapshot.SnapshotTokenHandler;
import org.forgerock.selfservice.core.snapshot.SnapshotTokenHandlerFactory;
import org.forgerock.selfservice.stages.tokenhandlers.JwtTokenHandler;

/* loaded from: input_file:org/forgerock/openam/selfservice/JwtSnapshotTokenHandlerFactory.class */
final class JwtSnapshotTokenHandlerFactory implements SnapshotTokenHandlerFactory {
    private static final JweAlgorithm DEFAULT_ENCRYPTION_ALGORITHM = JweAlgorithm.RSAES_PKCS1_V1_5;
    private static final EncryptionMethod DEFAULT_ENCRYPTION_METHOD = EncryptionMethod.A128CBC_HS256;
    private static final JwsAlgorithm DEFAULT_SIGNING_ALGORITHM = JwsAlgorithm.HS256;
    private final AMKeyProvider keyProvider;

    @Inject
    JwtSnapshotTokenHandlerFactory(AMKeyProvider aMKeyProvider) {
        this.keyProvider = aMKeyProvider;
    }

    public SnapshotTokenHandler get(SnapshotTokenConfig snapshotTokenConfig) {
        if (snapshotTokenConfig.getType().equals(KeyStoreJwtTokenConfig.TYPE)) {
            return configureJwtTokenHandler((KeyStoreJwtTokenConfig) snapshotTokenConfig);
        }
        throw new StageConfigException("Unknown token type " + snapshotTokenConfig.getType());
    }

    private SnapshotTokenHandler configureJwtTokenHandler(KeyStoreJwtTokenConfig keyStoreJwtTokenConfig) {
        KeyPair keyPair = this.keyProvider.getKeyPair(keyStoreJwtTokenConfig.getEncryptionKeyPairAlias());
        if (keyPair == null) {
            throw new StageConfigException("Unable to retrieve key pair for encryption key pair alias " + keyStoreJwtTokenConfig.getEncryptionKeyPairAlias());
        }
        SecretKey secretKey = this.keyProvider.getSecretKey(keyStoreJwtTokenConfig.getSigningSecretKeyAlias());
        if (secretKey == null) {
            throw new StageConfigException("Unable to retrieve key for certificate alias " + keyStoreJwtTokenConfig.getSigningSecretKeyAlias());
        }
        return new JwtTokenHandler(DEFAULT_ENCRYPTION_ALGORITHM, DEFAULT_ENCRYPTION_METHOD, keyPair, DEFAULT_SIGNING_ALGORITHM, new SigningManager().newHmacSigningHandler(secretKey.getEncoded()), keyStoreJwtTokenConfig.getTokenLifeTimeInSeconds());
    }
}
