package io.jsonwebtoken.impl;

import c.b;
import com.ibm.model.CognitiveAssistantConfig;
import io.jsonwebtoken.Claims;
import io.jsonwebtoken.Header;
import io.jsonwebtoken.JwsHeader;
import io.jsonwebtoken.JwtBuilder;
import io.jsonwebtoken.SignatureAlgorithm;
import io.jsonwebtoken.impl.crypto.DefaultJwtSigner;
import io.jsonwebtoken.impl.io.InstanceLocator;
import io.jsonwebtoken.io.Decoders;
import io.jsonwebtoken.io.Encoder;
import io.jsonwebtoken.io.Encoders;
import io.jsonwebtoken.io.SerializationException;
import io.jsonwebtoken.io.Serializer;
import io.jsonwebtoken.lang.Assert;
import io.jsonwebtoken.lang.Classes;
import io.jsonwebtoken.security.InvalidKeyException;
import io.jsonwebtoken.security.Keys;
import io.jsonwebtoken.security.WeakKeyException;
import java.security.Key;
import java.security.PrivateKey;
import java.security.interfaces.ECKey;
import java.security.interfaces.RSAKey;
import java.util.Map;
import javax.crypto.spec.SecretKeySpec;
import n.f;

/* loaded from: classes2.dex */
public class DefaultJwtBuilder implements JwtBuilder {
    public Encoder<byte[], String> L = Encoders.b;

    /* renamed from: f, reason: collision with root package name */
    public Header f8647f;

    /* renamed from: g, reason: collision with root package name */
    public Claims f8648g;
    public SignatureAlgorithm h;

    /* renamed from: n, reason: collision with root package name */
    public Key f8649n;

    /* renamed from: p, reason: collision with root package name */
    public Serializer<Map<String, ?>> f8650p;

    @Override // io.jsonwebtoken.JwtBuilder
    public JwtBuilder a(String str, Object obj) {
        Assert.a(str, "Claim property name cannot be null or empty.");
        Claims claims = this.f8648g;
        if (claims == null) {
            if (obj != null) {
                if (claims == null) {
                    this.f8648g = new DefaultClaims();
                }
                this.f8648g.put(str, obj);
            }
        } else if (obj == null) {
            claims.remove(str);
        } else {
            claims.put(str, obj);
        }
        return this;
    }

    @Override // io.jsonwebtoken.JwtBuilder
    public String c() {
        if (this.f8650p == null) {
            this.f8650p = (Serializer) ((InstanceLocator) Classes.d("io.jsonwebtoken.impl.io.RuntimeClasspathSerializerLocator")).a();
        }
        Claims claims = this.f8648g;
        if (claims == null || claims.isEmpty()) {
            throw new IllegalStateException("Either 'payload' or 'claims' must be specified.");
        }
        if (this.f8647f == null) {
            this.f8647f = new DefaultHeader();
        }
        Header header = this.f8647f;
        JwsHeader defaultJwsHeader = header instanceof JwsHeader ? (JwsHeader) header : new DefaultJwsHeader(header);
        if (this.f8649n != null) {
            defaultJwsHeader.b(this.h.f8642f);
        } else {
            SignatureAlgorithm signatureAlgorithm = SignatureAlgorithm.NONE;
            defaultJwsHeader.b(CognitiveAssistantConfig.ChatMode.NONE);
        }
        Assert.b(Map.class, defaultJwsHeader, "object argument must be a map.");
        try {
            Assert.b(Map.class, defaultJwsHeader, "object argument must be a map.");
            String a10 = this.L.a(this.f8650p.serialize(defaultJwsHeader));
            try {
                Claims claims2 = this.f8648g;
                Assert.b(Map.class, claims2, "object argument must be a map.");
                String str = a10 + '.' + this.L.a(this.f8650p.serialize(claims2));
                Key key = this.f8649n;
                if (key == null) {
                    return str + '.';
                }
                DefaultJwtSigner defaultJwtSigner = new DefaultJwtSigner(this.h, key, this.L);
                return str + '.' + defaultJwtSigner.b.a(defaultJwtSigner.f8657a.sign(str.getBytes(DefaultJwtSigner.f8656c)));
            } catch (SerializationException e10) {
                StringBuilder a11 = b.a("Unable to serialize claims object to json: ");
                a11.append(e10.getMessage());
                throw new IllegalArgumentException(a11.toString(), e10);
            }
        } catch (SerializationException e11) {
            throw new IllegalStateException("Unable to serialize header to json.", e11);
        }
    }

    /* JADX WARN: Multi-variable type inference failed */
    @Override // io.jsonwebtoken.JwtBuilder
    public JwtBuilder d(SignatureAlgorithm signatureAlgorithm, String str) throws InvalidKeyException {
        Assert.a(str, "base64-encoded secret key cannot be null or empty.");
        Assert.c(signatureAlgorithm.a(), "Base64-encoded key bytes may only be specified for HMAC signatures.  If using RSA or Elliptic Curve, use the signWith(SignatureAlgorithm, Key) method instead.");
        byte[] b = Decoders.f8676a.b(str);
        if (b == null || b.length == 0) {
            throw new IllegalArgumentException("secret key byte array cannot be null or empty.");
        }
        Assert.c(signatureAlgorithm.a(), "Key bytes may only be specified for HMAC signatures.  If using RSA or Elliptic Curve, use the signWith(SignatureAlgorithm, Key) method instead.");
        SecretKeySpec secretKeySpec = new SecretKeySpec(b, signatureAlgorithm.h);
        if (signatureAlgorithm == SignatureAlgorithm.NONE) {
            throw new InvalidKeyException("The 'NONE' signature algorithm does not support cryptographic keys.");
        }
        if (signatureAlgorithm.a()) {
            byte[] encoded = secretKeySpec.getEncoded();
            if (encoded == null) {
                StringBuilder a10 = b.a("The ");
                a10.append(SignatureAlgorithm.b(true));
                a10.append(" key's encoded bytes cannot be null.");
                throw new InvalidKeyException(a10.toString());
            }
            String algorithm = secretKeySpec.getAlgorithm();
            if (algorithm == null) {
                StringBuilder a11 = b.a("The ");
                a11.append(SignatureAlgorithm.b(true));
                a11.append(" key's algorithm cannot be null.");
                throw new InvalidKeyException(a11.toString());
            }
            if (!"HmacSHA256".equalsIgnoreCase(algorithm) && !"HmacSHA384".equalsIgnoreCase(algorithm) && !"HmacSHA512".equalsIgnoreCase(algorithm)) {
                StringBuilder a12 = b.a("The ");
                a12.append(SignatureAlgorithm.b(true));
                a12.append(" key's algorithm '");
                a12.append(algorithm);
                a12.append("' does not equal a valid HmacSHA* algorithm name and cannot be used with ");
                a12.append(signatureAlgorithm.name());
                a12.append(".");
                throw new InvalidKeyException(a12.toString());
            }
            int length = encoded.length * 8;
            if (length < signatureAlgorithm.f8645p) {
                StringBuilder a13 = b.a("The ");
                a13.append(SignatureAlgorithm.b(true));
                a13.append(" key's size is ");
                a13.append(length);
                a13.append(" bits which is not secure enough for the ");
                a13.append(signatureAlgorithm.name());
                a13.append(" algorithm.  The JWT JWA Specification (RFC 7518, Section 3.2) states that keys used with ");
                a13.append(signatureAlgorithm.name());
                a13.append(" MUST have a size >= ");
                a13.append(signatureAlgorithm.f8645p);
                a13.append(" bits (the key size must be greater than or equal to the hash output size).  Consider using the ");
                a13.append(Keys.class.getName());
                a13.append(" class's 'secretKeyFor(SignatureAlgorithm.");
                a13.append(signatureAlgorithm.name());
                a13.append(")' method to create a key guaranteed to be secure enough for ");
                a13.append(signatureAlgorithm.name());
                a13.append(".  See https://tools.ietf.org/html/rfc7518#section-3.2 for more information.");
                throw new WeakKeyException(a13.toString());
            }
        } else {
            if (!(secretKeySpec instanceof PrivateKey)) {
                throw new InvalidKeyException(f.a(new StringBuilder(), signatureAlgorithm.f8643g, " signing keys must be PrivateKey instances."));
            }
            if (signatureAlgorithm.f8643g.equals("ECDSA")) {
                if (!(secretKeySpec instanceof ECKey)) {
                    throw new InvalidKeyException(signatureAlgorithm.f8643g + " " + SignatureAlgorithm.b(true) + " keys must be ECKey instances.");
                }
                int bitLength = ((ECKey) secretKeySpec).getParams().getOrder().bitLength();
                if (bitLength < signatureAlgorithm.f8645p) {
                    StringBuilder a14 = b.a("The ");
                    a14.append(SignatureAlgorithm.b(true));
                    a14.append(" key's size (ECParameterSpec order) is ");
                    a14.append(bitLength);
                    a14.append(" bits which is not secure enough for the ");
                    a14.append(signatureAlgorithm.name());
                    a14.append(" algorithm.  The JWT JWA Specification (RFC 7518, Section 3.4) states that keys used with ");
                    a14.append(signatureAlgorithm.name());
                    a14.append(" MUST have a size >= ");
                    a14.append(signatureAlgorithm.f8645p);
                    a14.append(" bits.  Consider using the ");
                    a14.append(Keys.class.getName());
                    a14.append(" class's 'keyPairFor(SignatureAlgorithm.");
                    a14.append(signatureAlgorithm.name());
                    a14.append(")' method to create a key pair guaranteed to be secure enough for ");
                    a14.append(signatureAlgorithm.name());
                    a14.append(".  See https://tools.ietf.org/html/rfc7518#section-3.4 for more information.");
                    throw new WeakKeyException(a14.toString());
                }
            } else {
                if (!(secretKeySpec instanceof RSAKey)) {
                    throw new InvalidKeyException(signatureAlgorithm.f8643g + " " + SignatureAlgorithm.b(true) + " keys must be RSAKey instances.");
                }
                int bitLength2 = ((RSAKey) secretKeySpec).getModulus().bitLength();
                if (bitLength2 < signatureAlgorithm.f8645p) {
                    String str2 = signatureAlgorithm.name().startsWith("P") ? "3.5" : "3.3";
                    StringBuilder a15 = b.a("The ");
                    a15.append(SignatureAlgorithm.b(true));
                    a15.append(" key's size is ");
                    a15.append(bitLength2);
                    a15.append(" bits which is not secure enough for the ");
                    a15.append(signatureAlgorithm.name());
                    a15.append(" algorithm.  The JWT JWA Specification (RFC 7518, Section ");
                    a15.append(str2);
                    a15.append(") states that keys used with ");
                    a15.append(signatureAlgorithm.name());
                    a15.append(" MUST have a size >= ");
                    a15.append(signatureAlgorithm.f8645p);
                    a15.append(" bits.  Consider using the ");
                    a15.append(Keys.class.getName());
                    a15.append(" class's 'keyPairFor(SignatureAlgorithm.");
                    a15.append(signatureAlgorithm.name());
                    a15.append(")' method to create a key pair guaranteed to be secure enough for ");
                    a15.append(signatureAlgorithm.name());
                    a15.append(".  See https://tools.ietf.org/html/rfc7518#section-");
                    a15.append(str2);
                    a15.append(" for more information.");
                    throw new WeakKeyException(a15.toString());
                }
            }
        }
        this.h = signatureAlgorithm;
        this.f8649n = secretKeySpec;
        return this;
    }
}
