package org.apache.knox.gateway.service.knoxtoken;

import com.nimbusds.jose.JOSEException;
import com.nimbusds.jose.JWSAlgorithm;
import com.nimbusds.jose.jwk.JWKSet;
import com.nimbusds.jose.jwk.KeyUse;
import com.nimbusds.jose.jwk.RSAKey;
import java.security.KeyStoreException;
import java.security.cert.Certificate;
import java.security.interfaces.RSAPublicKey;
import javax.annotation.PostConstruct;
import javax.inject.Singleton;
import javax.servlet.ServletContext;
import javax.servlet.http.HttpServletRequest;
import javax.ws.rs.GET;
import javax.ws.rs.Path;
import javax.ws.rs.Produces;
import javax.ws.rs.core.Context;
import javax.ws.rs.core.Response;
import org.apache.knox.gateway.config.GatewayConfig;
import org.apache.knox.gateway.services.GatewayServices;
import org.apache.knox.gateway.services.ServiceType;
import org.apache.knox.gateway.services.security.AliasService;
import org.apache.knox.gateway.services.security.AliasServiceException;
import org.apache.knox.gateway.services.security.KeystoreService;
import org.apache.knox.gateway.services.security.KeystoreServiceException;
import org.apache.knox.gateway.services.security.token.TokenUtils;

@Singleton
@Path(JWKSResource.RESOURCE_PATH)
/* loaded from: input_file:org/apache/knox/gateway/service/knoxtoken/JWKSResource.class */
public class JWKSResource {
    public static final String JWKS_PATH = "/jwks.json";
    static final String RESOURCE_PATH = "knoxtoken/api/v1";
    private static final String TOKEN_SIG_ALG = "knox.token.sigalg";

    @Context
    HttpServletRequest request;

    @Context
    ServletContext context;
    private KeystoreService keystoreService;
    private String signatureAlgorithm;

    @PostConstruct
    public void init() throws AliasServiceException {
        GatewayServices gatewayServices = (GatewayServices) this.context.getAttribute("org.apache.knox.gateway.gateway.services");
        this.keystoreService = (KeystoreService) gatewayServices.getService(ServiceType.KEYSTORE_SERVICE);
        this.signatureAlgorithm = TokenUtils.getSignatureAlgorithm(this.context.getInitParameter(TOKEN_SIG_ALG), (AliasService) gatewayServices.getService(ServiceType.ALIAS_SERVICE), ((GatewayConfig) this.context.getAttribute("org.apache.knox.gateway.config")).getSigningKeystoreName());
    }

    @GET
    @Produces({"application/json"})
    @Path(JWKS_PATH)
    public Response getJwksResponse() {
        return getJwks(null);
    }

    private Response getJwks(String str) {
        try {
            try {
                RSAPublicKey publicKey = getPublicKey(str);
                if (publicKey == null) {
                    return Response.ok().entity(new JWKSet().toJSONObject().toString()).build();
                }
                return Response.ok().entity(new JWKSet(new RSAKey.Builder(publicKey).keyUse(KeyUse.SIGNATURE).algorithm(new JWSAlgorithm(this.signatureAlgorithm)).keyID(TokenUtils.getThumbprint(publicKey, "SHA-256")).build()).toJSONObject().toString()).build();
            } catch (KeystoreServiceException e) {
                return Response.status(500).entity("{\n  \"error\": \"keystore " + str + " could not be found.\"\n}\n").build();
            }
        } catch (KeyStoreException | JOSEException e2) {
            return Response.status(500).entity("{\n  \"error\": \"" + e2.toString() + "\"\n}\n").build();
        }
    }

    protected RSAPublicKey getPublicKey(String str) throws KeystoreServiceException, KeyStoreException {
        Certificate certificate = this.keystoreService.getSigningKeystore(str).getCertificate(getSigningKeyAlias());
        if (certificate != null) {
            return (RSAPublicKey) certificate.getPublicKey();
        }
        return null;
    }

    private String getSigningKeyAlias() {
        String signingKeyAlias = ((GatewayConfig) this.context.getAttribute("org.apache.knox.gateway.config")).getSigningKeyAlias();
        return signingKeyAlias == null ? "gateway-identity" : signingKeyAlias;
    }
}
