package org.apache.cxf.rs.security.oauth2.provider;

import java.security.cert.X509Certificate;
import java.security.interfaces.RSAPublicKey;
import org.apache.cxf.rs.security.jose.jwa.ContentAlgorithm;
import org.apache.cxf.rs.security.jose.jwa.KeyAlgorithm;
import org.apache.cxf.rs.security.jose.jwe.JweEncryptionProvider;
import org.apache.cxf.rs.security.jose.jwe.JweUtils;
import org.apache.cxf.rs.security.jose.jws.JwsSignatureProvider;
import org.apache.cxf.rs.security.jose.jwt.JwtToken;
import org.apache.cxf.rs.security.oauth2.common.Client;
import org.apache.cxf.rt.security.crypto.CryptoUtils;

/* loaded from: input_file:lib/cxf-rt-rs-security-oauth2-3.1.18.jar:org/apache/cxf/rs/security/oauth2/provider/OAuthServerJoseJwtProducer.class */
public class OAuthServerJoseJwtProducer extends OAuthJoseJwtProducer {
    private boolean encryptWithClientCertificates;

    public String processJwt(JwtToken jwtToken, Client client) {
        return processJwt(jwtToken, getInitializedEncryptionProvider(client), getInitializedSignatureProvider(client));
    }

    protected JweEncryptionProvider getInitializedEncryptionProvider(Client client) {
        JweEncryptionProvider jweEncryptionProvider = null;
        if (this.encryptWithClientCertificates && client != null && !client.getApplicationCertificates().isEmpty()) {
            jweEncryptionProvider = JweUtils.createJweEncryptionProvider((RSAPublicKey) ((X509Certificate) CryptoUtils.decodeCertificate(client.getApplicationCertificates().get(0))).getPublicKey(), KeyAlgorithm.RSA_OAEP, ContentAlgorithm.A128GCM, (String) null);
        }
        if (jweEncryptionProvider == null && client != null && client.getClientSecret() != null) {
            jweEncryptionProvider = super.getInitializedEncryptionProvider(client.getClientSecret());
        }
        return jweEncryptionProvider;
    }

    protected JwsSignatureProvider getInitializedSignatureProvider(Client client) {
        if (client == null) {
            return null;
        }
        return super.getInitializedSignatureProvider(client.getClientSecret());
    }

    public void setEncryptWithClientCertificates(boolean z) {
        if (isEncryptWithClientSecret()) {
            throw new SecurityException();
        }
        this.encryptWithClientCertificates = z;
    }
}
