package com.google.crypto.tink.jwt;

import com.google.crypto.tink.AccessesPartialKey;
import com.google.crypto.tink.KeyManager;
import com.google.crypto.tink.KeyTemplate;
import com.google.crypto.tink.Mac;
import com.google.crypto.tink.Parameters;
import com.google.crypto.tink.config.internal.TinkFipsUtil;
import com.google.crypto.tink.internal.KeyManagerRegistry;
import com.google.crypto.tink.internal.LegacyKeyManagerImpl;
import com.google.crypto.tink.internal.MutableKeyCreationRegistry;
import com.google.crypto.tink.internal.MutableParametersRegistry;
import com.google.crypto.tink.internal.MutablePrimitiveRegistry;
import com.google.crypto.tink.internal.PrimitiveConstructor;
import com.google.crypto.tink.internal.TinkBugException;
import com.google.crypto.tink.jwt.JwtFormat;
import com.google.crypto.tink.jwt.JwtHmacKey;
import com.google.crypto.tink.jwt.JwtHmacParameters;
import com.google.crypto.tink.mac.HmacKey;
import com.google.crypto.tink.mac.HmacParameters;
import com.google.crypto.tink.proto.KeyData;
import com.google.crypto.tink.subtle.PrfMac;
import com.google.crypto.tink.util.SecretBytes;
import com.google.errorprone.annotations.Immutable;
import com.google.gson.JsonObject;
import java.nio.charset.StandardCharsets;
import java.security.GeneralSecurityException;
import java.util.Collections;
import java.util.HashMap;
import java.util.Map;
import javax.annotation.Nullable;

/* loaded from: input_file:META-INF/jars/minecord-api-2.0.1+1.21.5.jar:com/google/crypto/tink/jwt/JwtHmacKeyManager.class */
public final class JwtHmacKeyManager {
    private static final KeyManager<Void> legacyKeyManager = LegacyKeyManagerImpl.create("type.googleapis.com/google.crypto.tink.JwtHmacKey", Void.class, KeyData.KeyMaterialType.SYMMETRIC, com.google.crypto.tink.proto.JwtHmacKey.parser());
    private static final PrimitiveConstructor<JwtHmacKey, JwtMac> PRIMITIVE_CONSTRUCTOR = PrimitiveConstructor.create(JwtHmacKeyManager::createFullJwtHmac, JwtHmacKey.class, JwtMac.class);
    private static final MutableKeyCreationRegistry.KeyCreator<JwtHmacParameters> KEY_CREATOR = JwtHmacKeyManager::createKey;
    private static final TinkFipsUtil.AlgorithmFipsCompatibility FIPS = TinkFipsUtil.AlgorithmFipsCompatibility.ALGORITHM_REQUIRES_BORINGCRYPTO;

    @Immutable
    /* loaded from: input_file:META-INF/jars/minecord-api-2.0.1+1.21.5.jar:com/google/crypto/tink/jwt/JwtHmacKeyManager$JwtHmac.class */
    private static final class JwtHmac implements JwtMac {
        private final Mac mac;
        private final String algorithm;
        private final JwtHmacKey jwtHmacKey;

        private JwtHmac(Mac mac, JwtHmacKey jwtHmacKey) {
            this.algorithm = jwtHmacKey.getParameters().getAlgorithm().getStandardName();
            this.mac = mac;
            this.jwtHmacKey = jwtHmacKey;
        }

        @Override // com.google.crypto.tink.jwt.JwtMac
        public String computeMacAndEncode(RawJwt rawJwt) throws GeneralSecurityException {
            String createUnsignedCompact = JwtFormat.createUnsignedCompact(this.algorithm, this.jwtHmacKey.getKid(), rawJwt);
            return JwtFormat.createSignedCompact(createUnsignedCompact, this.mac.computeMac(createUnsignedCompact.getBytes(StandardCharsets.US_ASCII)));
        }

        @Override // com.google.crypto.tink.jwt.JwtMac
        public VerifiedJwt verifyMacAndDecode(String str, JwtValidator jwtValidator) throws GeneralSecurityException {
            JwtFormat.Parts splitSignedCompact = JwtFormat.splitSignedCompact(str);
            this.mac.verifyMac(splitSignedCompact.signatureOrMac, splitSignedCompact.unsignedCompact.getBytes(StandardCharsets.US_ASCII));
            JsonObject parseJson = JsonUtil.parseJson(splitSignedCompact.header);
            JwtFormat.validateHeader(parseJson, this.jwtHmacKey.getParameters().getAlgorithm().getStandardName(), this.jwtHmacKey.getKid(), this.jwtHmacKey.getParameters().allowKidAbsent());
            return jwtValidator.validate(RawJwt.fromJsonPayload(JwtFormat.getTypeHeader(parseJson), splitSignedCompact.payload));
        }
    }

    private static void validate(JwtHmacParameters jwtHmacParameters) throws GeneralSecurityException {
        int i = Integer.MAX_VALUE;
        if (jwtHmacParameters.getAlgorithm().equals(JwtHmacParameters.Algorithm.HS256)) {
            i = 32;
        }
        if (jwtHmacParameters.getAlgorithm().equals(JwtHmacParameters.Algorithm.HS384)) {
            i = 48;
        }
        if (jwtHmacParameters.getAlgorithm().equals(JwtHmacParameters.Algorithm.HS512)) {
            i = 64;
        }
        if (jwtHmacParameters.getKeySizeBytes() < i) {
            throw new GeneralSecurityException("Key size must be at least " + i);
        }
    }

    private static int getTagLength(JwtHmacParameters.Algorithm algorithm) throws GeneralSecurityException {
        if (algorithm.equals(JwtHmacParameters.Algorithm.HS256)) {
            return 32;
        }
        if (algorithm.equals(JwtHmacParameters.Algorithm.HS384)) {
            return 48;
        }
        if (algorithm.equals(JwtHmacParameters.Algorithm.HS512)) {
            return 64;
        }
        throw new GeneralSecurityException("Unsupported algorithm: " + algorithm);
    }

    private static HmacParameters.HashType getHmacHashType(JwtHmacParameters.Algorithm algorithm) throws GeneralSecurityException {
        if (algorithm.equals(JwtHmacParameters.Algorithm.HS256)) {
            return HmacParameters.HashType.SHA256;
        }
        if (algorithm.equals(JwtHmacParameters.Algorithm.HS384)) {
            return HmacParameters.HashType.SHA384;
        }
        if (algorithm.equals(JwtHmacParameters.Algorithm.HS512)) {
            return HmacParameters.HashType.SHA512;
        }
        throw new GeneralSecurityException("Unsupported algorithm: " + algorithm);
    }

    @AccessesPartialKey
    private static JwtMac createFullJwtHmac(JwtHmacKey jwtHmacKey) throws GeneralSecurityException {
        validate(jwtHmacKey.getParameters());
        return new JwtHmac(PrfMac.create(HmacKey.builder().setParameters(HmacParameters.builder().setKeySizeBytes(jwtHmacKey.getParameters().getKeySizeBytes()).setHashType(getHmacHashType(jwtHmacKey.getParameters().getAlgorithm())).setTagSizeBytes(getTagLength(jwtHmacKey.getParameters().getAlgorithm())).build()).setKeyBytes(jwtHmacKey.getKeyBytes()).build()), jwtHmacKey);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static String getKeyType() {
        return "type.googleapis.com/google.crypto.tink.JwtHmacKey";
    }

    @AccessesPartialKey
    private static JwtHmacKey createKey(JwtHmacParameters jwtHmacParameters, @Nullable Integer num) throws GeneralSecurityException {
        validate(jwtHmacParameters);
        JwtHmacKey.Builder keyBytes = JwtHmacKey.builder().setParameters(jwtHmacParameters).setKeyBytes(SecretBytes.randomBytes(jwtHmacParameters.getKeySizeBytes()));
        if (jwtHmacParameters.hasIdRequirement()) {
            if (num == null) {
                throw new GeneralSecurityException("Cannot create key without ID requirement with parameters with ID requirement");
            }
            keyBytes.setIdRequirement(num.intValue());
        }
        return keyBytes.build();
    }

    private static Map<String, Parameters> namedParameters() throws GeneralSecurityException {
        HashMap hashMap = new HashMap();
        hashMap.put("JWT_HS256_RAW", JwtHmacParameters.builder().setKeySizeBytes(32).setAlgorithm(JwtHmacParameters.Algorithm.HS256).setKidStrategy(JwtHmacParameters.KidStrategy.IGNORED).build());
        hashMap.put("JWT_HS256", JwtHmacParameters.builder().setKeySizeBytes(32).setAlgorithm(JwtHmacParameters.Algorithm.HS256).setKidStrategy(JwtHmacParameters.KidStrategy.BASE64_ENCODED_KEY_ID).build());
        hashMap.put("JWT_HS384_RAW", JwtHmacParameters.builder().setKeySizeBytes(48).setAlgorithm(JwtHmacParameters.Algorithm.HS384).setKidStrategy(JwtHmacParameters.KidStrategy.IGNORED).build());
        hashMap.put("JWT_HS384", JwtHmacParameters.builder().setKeySizeBytes(48).setAlgorithm(JwtHmacParameters.Algorithm.HS384).setKidStrategy(JwtHmacParameters.KidStrategy.BASE64_ENCODED_KEY_ID).build());
        hashMap.put("JWT_HS512_RAW", JwtHmacParameters.builder().setKeySizeBytes(64).setAlgorithm(JwtHmacParameters.Algorithm.HS512).setKidStrategy(JwtHmacParameters.KidStrategy.IGNORED).build());
        hashMap.put("JWT_HS512", JwtHmacParameters.builder().setKeySizeBytes(64).setAlgorithm(JwtHmacParameters.Algorithm.HS512).setKidStrategy(JwtHmacParameters.KidStrategy.BASE64_ENCODED_KEY_ID).build());
        return Collections.unmodifiableMap(hashMap);
    }

    public TinkFipsUtil.AlgorithmFipsCompatibility fipsStatus() {
        return FIPS;
    }

    public static void register(boolean z) throws GeneralSecurityException {
        if (!FIPS.isCompatible()) {
            throw new GeneralSecurityException("Can not use HMAC in FIPS-mode, as BoringCrypto module is not available.");
        }
        JwtHmacProtoSerialization.register();
        MutableKeyCreationRegistry.globalInstance().add(KEY_CREATOR, JwtHmacParameters.class);
        MutablePrimitiveRegistry.globalInstance().registerPrimitiveConstructor(PRIMITIVE_CONSTRUCTOR);
        MutableParametersRegistry.globalInstance().putAll(namedParameters());
        KeyManagerRegistry.globalInstance().registerKeyManagerWithFipsCompatibility(legacyKeyManager, FIPS, z);
    }

    public static final KeyTemplate hs256Template() {
        return (KeyTemplate) TinkBugException.exceptionIsBug(() -> {
            return KeyTemplate.createFrom(JwtHmacParameters.builder().setKeySizeBytes(32).setKidStrategy(JwtHmacParameters.KidStrategy.IGNORED).setAlgorithm(JwtHmacParameters.Algorithm.HS256).build());
        });
    }

    public static final KeyTemplate hs384Template() {
        return (KeyTemplate) TinkBugException.exceptionIsBug(() -> {
            return KeyTemplate.createFrom(JwtHmacParameters.builder().setKeySizeBytes(48).setKidStrategy(JwtHmacParameters.KidStrategy.IGNORED).setAlgorithm(JwtHmacParameters.Algorithm.HS384).build());
        });
    }

    public static final KeyTemplate hs512Template() {
        return (KeyTemplate) TinkBugException.exceptionIsBug(() -> {
            return KeyTemplate.createFrom(JwtHmacParameters.builder().setKeySizeBytes(64).setKidStrategy(JwtHmacParameters.KidStrategy.IGNORED).setAlgorithm(JwtHmacParameters.Algorithm.HS512).build());
        });
    }

    private JwtHmacKeyManager() {
    }
}
