package com.microsoft.identity.broker4j.broker.prt;

import com.google.gson.Gson;
import com.microsoft.identity.broker4j.broker.crypto.IKeyEntry;
import com.microsoft.identity.broker4j.broker.crypto.keyaccessors.IKeyEntryAccessor;
import com.microsoft.identity.broker4j.broker.crypto.keyfactories.IBrokerKeyFactory;
import com.microsoft.identity.broker4j.broker.flighting.Broker4jFlightsManager;
import com.microsoft.identity.broker4j.broker.flighting.BrokerFlight;
import com.microsoft.identity.broker4j.broker.flighting.IBrokerFlightsProvider;
import com.microsoft.identity.common.java.AuthenticationConstants;
import com.microsoft.identity.common.java.exception.ClientException;
import com.microsoft.identity.common.java.jwt.IJwtRequestSigner;
import com.microsoft.identity.common.java.jwt.JwtRequestBody;
import com.microsoft.identity.common.java.jwt.JwtRequestHeader;
import com.microsoft.identity.common.java.jwt.JwtUtils;
import com.microsoft.identity.common.java.logging.Logger;
import com.microsoft.identity.common.java.util.StringUtil;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import kotlin.requestDeviceSession;
import lombok.NonNull;

/* loaded from: classes4.dex */
public class SessionKeyJwtRequestSigner implements IJwtRequestSigner {
    private static final String TAG = "SessionKeyJwtRequestSigner";
    final IBrokerKeyFactory mBrokerKeyFactory;
    final IKeyEntry mSessionKey;

    public SessionKeyJwtRequestSigner(@NonNull IBrokerKeyFactory iBrokerKeyFactory, @NonNull IKeyEntry iKeyEntry) {
        if (iBrokerKeyFactory == null) {
            throw new NullPointerException("mBrokerKeyFactory is marked non-null but is null");
        }
        if (iKeyEntry == null) {
            throw new NullPointerException("mSessionKey is marked non-null but is null");
        }
        this.mBrokerKeyFactory = iBrokerKeyFactory;
        this.mSessionKey = iKeyEntry;
    }

    private JwtRequestHeader getJwtHeader(@NonNull byte[] bArr, boolean z) {
        if (bArr == null) {
            throw new NullPointerException("keyContext is marked non-null but is null");
        }
        JwtRequestHeader jwtRequestHeader = new JwtRequestHeader();
        jwtRequestHeader.setType();
        jwtRequestHeader.setAlg(JwtRequestHeader.ALG_VALUE_HS256);
        jwtRequestHeader.setKId("session");
        jwtRequestHeader.setCtx(new String(requestDeviceSession.getMamServiceCertificatePin(bArr, 3), AuthenticationConstants.CHARSET_UTF8));
        if (z) {
            jwtRequestHeader.setKdfVersion(2);
        }
        return jwtRequestHeader;
    }

    @Override // com.microsoft.identity.common.java.jwt.IJwtRequestSigner
    public String getSignedJwt(@NonNull JwtRequestBody jwtRequestBody) throws ClientException {
        IKeyEntry deriveKey;
        if (jwtRequestBody == null) {
            throw new NullPointerException("jwtRequestBody is marked non-null but is null");
        }
        String str = TAG + ":getSignedJwt";
        byte[] generateRandomKeyContext = SessionKeyUtil.generateRandomKeyContext();
        IBrokerFlightsProvider flightsProvider = Broker4jFlightsManager.INSTANCE.getFlightsProvider();
        boolean z = flightsProvider != null && flightsProvider.isFlightEnabled(BrokerFlight.USE_KDF_VERSION_2);
        Logger.info(str, "Generating derived key for signing");
        if (z) {
            try {
                Logger.info(str, "Using KDF version 2 to generate derived key");
                MessageDigest messageDigest = MessageDigest.getInstance("SHA-256");
                byte[] bytes = new Gson().toJson(jwtRequestBody).getBytes(AuthenticationConstants.ENCODING_UTF8);
                messageDigest.update(generateRandomKeyContext);
                deriveKey = SessionKeyUtil.deriveKey(this.mBrokerKeyFactory, this.mSessionKey, messageDigest.digest(bytes));
            } catch (NoSuchAlgorithmException e) {
                Logger.error(str, "Failed to get SHA-256 algorithm to compute hash", e);
                throw new ClientException("no_such_algorithm", e.getMessage(), e);
            }
        } else {
            deriveKey = SessionKeyUtil.deriveKey(this.mBrokerKeyFactory, this.mSessionKey, generateRandomKeyContext);
        }
        IKeyEntryAccessor derivedSessionKeyAccessor = this.mBrokerKeyFactory.getDerivedSessionKeyAccessor(deriveKey, SessionKeyUtil.DERIVED_KEY_DECRYPTION_ALGORITHM_AES_GCM);
        String generateJWT = JwtUtils.generateJWT(getJwtHeader(generateRandomKeyContext, z), jwtRequestBody);
        Logger.info(str, "Signing JWT with derived key");
        String encodeUrlSafeString = StringUtil.encodeUrlSafeString(derivedSessionKeyAccessor.sign(generateJWT.getBytes(AuthenticationConstants.ENCODING_UTF8)));
        this.mBrokerKeyFactory.getKeyManager().deleteKey(deriveKey);
        return generateJWT + "." + encodeUrlSafeString;
    }
}
