package io.jsonwebtoken; import b.d; import io.jsonwebtoken.security.InvalidKeyException; import io.jsonwebtoken.security.Keys; import io.jsonwebtoken.security.SignatureException; import io.jsonwebtoken.security.WeakKeyException; import j2.b; import java.security.Key; import java.security.PrivateKey; import java.security.interfaces.ECKey; import java.security.interfaces.RSAKey; import java.util.Arrays; import java.util.Collections; import java.util.List; import javax.crypto.SecretKey; import ln.r0; import ln.u0; import org.apache.cordova.networkinformation.NetworkManager; import z1.a; public enum SignatureAlgorithm { NONE(NetworkManager.TYPE_NONE, "No digital signature or MAC performed", "None", null, false, 0, 0), HS256("HS256", "HMAC using SHA-256", "HMAC", "HmacSHA256", true, 256, 256), HS384("HS384", "HMAC using SHA-384", "HMAC", "HmacSHA384", true, 384, 384), HS512("HS512", "HMAC using SHA-512", "HMAC", "HmacSHA512", true, 512, 512), RS256("RS256", "RSASSA-PKCS-v1_5 using SHA-256", "RSA", "SHA256withRSA", true, 256, 2048), RS384("RS384", "RSASSA-PKCS-v1_5 using SHA-384", "RSA", "SHA384withRSA", true, 384, 2048), RS512("RS512", "RSASSA-PKCS-v1_5 using SHA-512", "RSA", "SHA512withRSA", true, 512, 2048), ES256("ES256", "ECDSA using P-256 and SHA-256", "ECDSA", "SHA256withECDSA", true, 256, 256), ES384("ES384", "ECDSA using P-384 and SHA-384", "ECDSA", "SHA384withECDSA", true, 384, 384), ES512("ES512", "ECDSA using P-521 and SHA-512", "ECDSA", "SHA512withECDSA", true, 512, 521), PS256("PS256", "RSASSA-PSS using SHA-256 and MGF1 with SHA-256", "RSA", "SHA256withRSAandMGF1", false, 256, 2048), PS384("PS384", "RSASSA-PSS using SHA-384 and MGF1 with SHA-384", "RSA", "SHA384withRSAandMGF1", false, 384, 2048), PS512("PS512", "RSASSA-PSS using SHA-512 and MGF1 with SHA-512", "RSA", "SHA512withRSAandMGF1", false, 512, 2048); private static final List<SignatureAlgorithm> PREFERRED_EC_ALGS; private static final List<SignatureAlgorithm> PREFERRED_HMAC_ALGS; private final String description; private final int digestLength; private final String familyName; private final String jcaName; private final boolean jdkStandard; private final int minKeyLength; private final String value; /* access modifiers changed from: public */ static { SignatureAlgorithm signatureAlgorithm; SignatureAlgorithm signatureAlgorithm2; SignatureAlgorithm signatureAlgorithm3; SignatureAlgorithm signatureAlgorithm4; SignatureAlgorithm signatureAlgorithm5; SignatureAlgorithm signatureAlgorithm6; PREFERRED_HMAC_ALGS = Collections.unmodifiableList(Arrays.asList(signatureAlgorithm3, signatureAlgorithm2, signatureAlgorithm)); PREFERRED_EC_ALGS = Collections.unmodifiableList(Arrays.asList(signatureAlgorithm6, signatureAlgorithm5, signatureAlgorithm4)); } private SignatureAlgorithm(String str, String str2, String str3, String str4, boolean z14, int i14, int i15) { this.value = str; this.description = str2; this.familyName = str3; this.jcaName = str4; this.jdkStandard = z14; this.digestLength = i14; this.minKeyLength = i15; } private void assertValid(Key key, boolean z14) throws InvalidKeyException { if (this == NONE) { throw new InvalidKeyException("The 'NONE' signature algorithm does not support cryptographic keys."); } else if (isHmac()) { if (key instanceof SecretKey) { SecretKey secretKey = (SecretKey) key; byte[] encoded = secretKey.getEncoded(); if (encoded != null) { String algorithm = secretKey.getAlgorithm(); if (algorithm == null) { throw new InvalidKeyException(r0.a(d.a("The "), keyType(z14), " key's algorithm cannot be null.")); } else if (HS256.jcaName.equalsIgnoreCase(algorithm) || HS384.jcaName.equalsIgnoreCase(algorithm) || HS512.jcaName.equalsIgnoreCase(algorithm)) { int length = encoded.length * 8; if (length < this.minKeyLength) { StringBuilder a14 = d.a("The "); u0.a(a14, keyType(z14), " key's size is ", length, " bits which "); a14.append("is not secure enough for the "); a14.append(name()); a14.append(" algorithm. The JWT "); a14.append("JWA Specification (RFC 7518, Section 3.2) states that keys used with "); a14.append(name()); a14.append(" MUST have a "); a14.append("size >= "); a14.append(this.minKeyLength); a14.append(" bits (the key size must be greater than or equal to the hash "); a14.append("output size). Consider using the "); a14.append(Keys.class.getName()); a14.append(" class's "); a14.append("'secretKeyFor(SignatureAlgorithm."); a14.append(name()); a14.append(")' method to create a key guaranteed to be "); a14.append("secure enough for "); a14.append(name()); a14.append(". See "); a14.append("https://tools.ietf.org/html/rfc7518#section-3.2 for more information."); throw new WeakKeyException(a14.toString()); } } else { StringBuilder a15 = d.a("The "); a.a(a15, keyType(z14), " key's algorithm '", algorithm, "' does not equal a valid HmacSHA* algorithm name and cannot be used with "); a15.append(name()); a15.append("."); throw new InvalidKeyException(a15.toString()); } } else { throw new InvalidKeyException(r0.a(d.a("The "), keyType(z14), " key's encoded bytes cannot be null.")); } } else { StringBuilder sb4 = new StringBuilder(); sb4.append(this.familyName); sb4.append(" "); throw new InvalidKeyException(r0.a(sb4, keyType(z14), " keys must be SecretKey instances.")); } } else if (z14 && !(key instanceof PrivateKey)) { throw new InvalidKeyException(r0.a(new StringBuilder(), this.familyName, " signing keys must be PrivateKey instances.")); } else if (isEllipticCurve()) { if (key instanceof ECKey) { int bitLength = ((ECKey) key).getParams().getOrder().bitLength(); if (bitLength < this.minKeyLength) { StringBuilder a16 = d.a("The "); u0.a(a16, keyType(z14), " key's size (ECParameterSpec order) is ", bitLength, " bits which is not secure enough for the "); a16.append(name()); a16.append(" algorithm. The JWT "); a16.append("JWA Specification (RFC 7518, Section 3.4) states that keys used with "); a16.append(name()); a16.append(" MUST have a size >= "); a16.append(this.minKeyLength); a16.append(" bits. Consider using the "); a16.append(Keys.class.getName()); a16.append(" class's "); a16.append("'keyPairFor(SignatureAlgorithm."); a16.append(name()); a16.append(")' method to create a key pair guaranteed "); a16.append("to be secure enough for "); a16.append(name()); throw new WeakKeyException(r0.a(a16, ". See ", "https://tools.ietf.org/html/rfc7518#section-3.4 for more information.")); } return; } StringBuilder sb5 = new StringBuilder(); sb5.append(this.familyName); sb5.append(" "); throw new InvalidKeyException(r0.a(sb5, keyType(z14), " keys must be ECKey instances.")); } else if (key instanceof RSAKey) { int bitLength2 = ((RSAKey) key).getModulus().bitLength(); if (bitLength2 < this.minKeyLength) { String str = name().startsWith("P") ? "3.5" : "3.3"; StringBuilder a17 = d.a("The "); u0.a(a17, keyType(z14), " key's size is ", bitLength2, " bits which is not secure "); a17.append("enough for the "); a17.append(name()); a17.append(" algorithm. The JWT JWA Specification (RFC 7518, Section "); a17.append(str); a17.append(") states that keys used with "); a17.append(name()); a17.append(" MUST have a size >= "); a17.append(this.minKeyLength); a17.append(" bits. Consider using the "); a17.append(Keys.class.getName()); a17.append(" class's "); a17.append("'keyPairFor(SignatureAlgorithm."); a17.append(name()); a17.append(")' method to create a key pair guaranteed "); a17.append("to be secure enough for "); a17.append(name()); throw new WeakKeyException(b.a(a17, ". See ", "https://tools.ietf.org/html/rfc7518#section-", str, " for more information.")); } } else { StringBuilder sb6 = new StringBuilder(); sb6.append(this.familyName); sb6.append(" "); throw new InvalidKeyException(r0.a(sb6, keyType(z14), " keys must be RSAKey instances.")); } } public static SignatureAlgorithm forName(String str) throws SignatureException { SignatureAlgorithm[] values = values(); for (SignatureAlgorithm signatureAlgorithm : values) { if (signatureAlgorithm.getValue().equalsIgnoreCase(str)) { return signatureAlgorithm; } } throw new SignatureException(id2.d.c("Unsupported signature algorithm '", str, "'")); } public static SignatureAlgorithm forSigningKey(Key key) throws InvalidKeyException { if (key != null) { boolean z14 = key instanceof SecretKey; if (!z14 && (!(key instanceof PrivateKey) || (!(key instanceof ECKey) && !(key instanceof RSAKey)))) { StringBuilder a14 = d.a("JWT standard signing algorithms require either 1) a SecretKey for HMAC-SHA algorithms or 2) a private RSAKey for RSA algorithms or 3) a private ECKey for Elliptic Curve algorithms. The specified key is of type "); a14.append(key.getClass().getName()); throw new InvalidKeyException(a14.toString()); } else if (z14) { int length = io.jsonwebtoken.lang.Arrays.length(((SecretKey) key).getEncoded()) * 8; for (SignatureAlgorithm signatureAlgorithm : PREFERRED_HMAC_ALGS) { if (length >= signatureAlgorithm.minKeyLength) { return signatureAlgorithm; } } throw new WeakKeyException("The specified SecretKey is not strong enough to be used with JWT HMAC signature algorithms. The JWT specification requires HMAC keys to be >= 256 bits long. The specified key is " + length + " bits. See https://tools.ietf.org/html/rfc7518#section-3.2 for more " + "information."); } else if (key instanceof RSAKey) { int bitLength = ((RSAKey) key).getModulus().bitLength(); if (bitLength >= 4096) { SignatureAlgorithm signatureAlgorithm2 = RS512; signatureAlgorithm2.assertValidSigningKey(key); return signatureAlgorithm2; } else if (bitLength >= 3072) { SignatureAlgorithm signatureAlgorithm3 = RS384; signatureAlgorithm3.assertValidSigningKey(key); return signatureAlgorithm3; } else { SignatureAlgorithm signatureAlgorithm4 = RS256; if (bitLength >= signatureAlgorithm4.minKeyLength) { signatureAlgorithm4.assertValidSigningKey(key); return signatureAlgorithm4; } throw new WeakKeyException("The specified RSA signing key is not strong enough to be used with JWT RSA signature algorithms. The JWT specification requires RSA keys to be >= 2048 bits long. The specified RSA key is " + bitLength + " bits. See https://tools.ietf.org/html/rfc7518#section-3.3 for more " + "information."); } } else { int bitLength2 = ((ECKey) key).getParams().getOrder().bitLength(); for (SignatureAlgorithm signatureAlgorithm5 : PREFERRED_EC_ALGS) { if (bitLength2 >= signatureAlgorithm5.minKeyLength) { signatureAlgorithm5.assertValidSigningKey(key); return signatureAlgorithm5; } } throw new WeakKeyException("The specified Elliptic Curve signing key is not strong enough to be used with JWT ECDSA signature algorithms. The JWT specification requires ECDSA keys to be >= 256 bits long. The specified ECDSA key is " + bitLength2 + " bits. See " + "https://tools.ietf.org/html/rfc7518#section-3.4 for more information."); } } else { throw new InvalidKeyException("Key argument cannot be null."); } } private static String keyType(boolean z14) { return z14 ? "signing" : "verification"; } public void assertValidSigningKey(Key key) throws InvalidKeyException { assertValid(key, true); } public void assertValidVerificationKey(Key key) throws InvalidKeyException { assertValid(key, false); } public String getDescription() { return this.description; } public String getFamilyName() { return this.familyName; } public String getJcaName() { return this.jcaName; } public int getMinKeyLength() { return this.minKeyLength; } public String getValue() { return this.value; } public boolean isEllipticCurve() { return this.familyName.equals("ECDSA"); } public boolean isHmac() { return this.familyName.equals("HMAC"); } public boolean isJdkStandard() { return this.jdkStandard; } public boolean isRsa() { return this.familyName.equals("RSA"); } }