package org.springframework.security.oauth2.server.authorization.config.annotation.web.configurers;

import java.security.MessageDigest;
import java.security.cert.X509Certificate;
import java.util.Base64;
import java.util.Collections;
import java.util.HashMap;
import java.util.Iterator;
import java.util.LinkedHashMap;
import java.util.Map;
import org.springframework.security.oauth2.core.ClientAuthenticationMethod;
import org.springframework.security.oauth2.core.OAuth2AuthenticationException;
import org.springframework.security.oauth2.core.OAuth2Error;
import org.springframework.security.oauth2.server.authorization.OAuth2TokenType;
import org.springframework.security.oauth2.server.authorization.authentication.OAuth2ClientAuthenticationToken;
import org.springframework.security.oauth2.server.authorization.authentication.OAuth2TokenExchangeActor;
import org.springframework.security.oauth2.server.authorization.authentication.OAuth2TokenExchangeCompositeAuthenticationToken;
import org.springframework.security.oauth2.server.authorization.token.JwtEncodingContext;
import org.springframework.security.oauth2.server.authorization.token.OAuth2TokenClaimNames;
import org.springframework.security.oauth2.server.authorization.token.OAuth2TokenClaimsContext;
import org.springframework.security.oauth2.server.authorization.token.OAuth2TokenContext;
import org.springframework.security.oauth2.server.authorization.token.OAuth2TokenCustomizer;

/* JADX INFO: Access modifiers changed from: package-private */
/* loaded from: input_file:org/springframework/security/oauth2/server/authorization/config/annotation/web/configurers/DefaultOAuth2TokenCustomizers.class */
public final class DefaultOAuth2TokenCustomizers {
    private DefaultOAuth2TokenCustomizers() {
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static OAuth2TokenCustomizer<JwtEncodingContext> jwtCustomizer() {
        return jwtEncodingContext -> {
            jwtEncodingContext.getClaims().claims(map -> {
                customize(jwtEncodingContext, map);
            });
        };
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static OAuth2TokenCustomizer<OAuth2TokenClaimsContext> accessTokenCustomizer() {
        return oAuth2TokenClaimsContext -> {
            oAuth2TokenClaimsContext.getClaims().claims(map -> {
                customize(oAuth2TokenClaimsContext, map);
            });
        };
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static void customize(OAuth2TokenContext oAuth2TokenContext, Map<String, Object> map) {
        if (OAuth2TokenType.ACCESS_TOKEN.equals(oAuth2TokenContext.getTokenType()) && oAuth2TokenContext.getAuthorizationGrant() != null) {
            Object principal = oAuth2TokenContext.getAuthorizationGrant().getPrincipal();
            if (principal instanceof OAuth2ClientAuthenticationToken) {
                OAuth2ClientAuthenticationToken oAuth2ClientAuthenticationToken = (OAuth2ClientAuthenticationToken) principal;
                if ((ClientAuthenticationMethod.TLS_CLIENT_AUTH.equals(oAuth2ClientAuthenticationToken.getClientAuthenticationMethod()) || ClientAuthenticationMethod.SELF_SIGNED_TLS_CLIENT_AUTH.equals(oAuth2ClientAuthenticationToken.getClientAuthenticationMethod())) && oAuth2TokenContext.getRegisteredClient().getTokenSettings().isX509CertificateBoundAccessTokens()) {
                    try {
                        String computeSHA256Thumbprint = computeSHA256Thumbprint(((X509Certificate[]) oAuth2ClientAuthenticationToken.getCredentials())[0]);
                        HashMap hashMap = new HashMap();
                        hashMap.put("x5t#S256", computeSHA256Thumbprint);
                        map.put("cnf", hashMap);
                    } catch (Exception e) {
                        throw new OAuth2AuthenticationException(new OAuth2Error("server_error", "Failed to compute SHA-256 Thumbprint for client X509Certificate.", (String) null), e);
                    }
                }
            }
        }
        OAuth2TokenExchangeCompositeAuthenticationToken principal2 = oAuth2TokenContext.getPrincipal();
        if (principal2 instanceof OAuth2TokenExchangeCompositeAuthenticationToken) {
            Map<String, Object> map2 = map;
            Iterator<OAuth2TokenExchangeActor> it = principal2.getActors().iterator();
            while (it.hasNext()) {
                Map<String, Object> claims = it.next().getClaims();
                Map<String, Object> linkedHashMap = new LinkedHashMap<>();
                linkedHashMap.put(OAuth2TokenClaimNames.ISS, claims.get(OAuth2TokenClaimNames.ISS));
                linkedHashMap.put(OAuth2TokenClaimNames.SUB, claims.get(OAuth2TokenClaimNames.SUB));
                map2.put("act", Collections.unmodifiableMap(linkedHashMap));
                map2 = linkedHashMap;
            }
        }
    }

    private static String computeSHA256Thumbprint(X509Certificate x509Certificate) throws Exception {
        return Base64.getUrlEncoder().withoutPadding().encodeToString(MessageDigest.getInstance("SHA-256").digest(x509Certificate.getEncoded()));
    }
}
