package io.jsonwebtoken.impl;

import io.jsonwebtoken.impl.io.InstanceLocator;
import java.security.Key;
import java.security.PrivateKey;
import java.security.interfaces.ECKey;
import java.security.interfaces.RSAKey;
import java.util.Map;
import javax.crypto.spec.SecretKeySpec;
import u.a.b;
import u.a.c;
import u.a.d;
import u.a.h;
import u.a.j.j;
import u.a.j.k;
import u.a.j.p;
import u.a.j.q;
import u.a.k.a;
import u.a.l.e;

/* loaded from: classes2.dex */
public class DefaultJwtBuilder implements d {
    public b a;
    public DefaultClaims b;
    public h c;
    public Key d;
    public q<Map<String, ?>> e;
    public j<byte[], String> f = k.b;

    @Override // u.a.d
    public String a() {
        if (this.e == null) {
            this.e = (q) ((InstanceLocator) a.d("io.jsonwebtoken.impl.io.RuntimeClasspathSerializerLocator")).a();
        }
        DefaultClaims defaultClaims = this.b;
        if (defaultClaims == null || defaultClaims.isEmpty()) {
            throw new IllegalStateException("Either 'payload' or 'claims' must be specified.");
        }
        if (this.a == null) {
            this.a = new DefaultHeader();
        }
        b bVar = this.a;
        c defaultJwsHeader = bVar instanceof c ? (c) bVar : new DefaultJwsHeader(bVar);
        if (this.d != null) {
            defaultJwsHeader.a(this.c.value);
        } else {
            defaultJwsHeader.a(h.NONE.value);
        }
        t.a.a.b.a.s0(Map.class, defaultJwsHeader, "object argument must be a map.");
        try {
            t.a.a.b.a.s0(Map.class, defaultJwsHeader, "object argument must be a map.");
            String a = this.f.a(this.e.serialize(defaultJwsHeader));
            try {
                DefaultClaims defaultClaims2 = this.b;
                t.a.a.b.a.s0(Map.class, defaultClaims2, "object argument must be a map.");
                String str = a + '.' + this.f.a(this.e.serialize(defaultClaims2));
                Key key = this.d;
                if (key == null) {
                    return str + '.';
                }
                u.a.i.b.a aVar = new u.a.i.b.a(this.c, key, this.f);
                return str + '.' + aVar.b.a(aVar.a.a(str.getBytes(u.a.i.b.a.c)));
            } catch (p e) {
                StringBuilder s = j.d.a.a.a.s("Unable to serialize claims object to json: ");
                s.append(e.getMessage());
                throw new IllegalArgumentException(s.toString(), e);
            }
        } catch (p e2) {
            throw new IllegalStateException("Unable to serialize header to json.", e2);
        }
    }

    @Override // u.a.d
    public d b(q<Map<String, ?>> qVar) {
        t.a.a.b.a.H0(qVar, "Serializer cannot be null.");
        this.e = qVar;
        return this;
    }

    @Override // u.a.d
    public d c(Map<String, Object> map) {
        e().putAll(map);
        return this;
    }

    /* JADX WARN: Multi-variable type inference failed */
    @Override // u.a.d
    public d d(h hVar, byte[] bArr) {
        t.a.a.b.a.H0(hVar, "SignatureAlgorithm cannot be null.");
        if (bArr.length == 0) {
            throw new IllegalArgumentException("secret key byte array cannot be null or empty.");
        }
        t.a.a.b.a.B0(hVar.a(), "Key bytes may only be specified for HMAC signatures.  If using RSA or Elliptic Curve, use the signWith(SignatureAlgorithm, Key) method instead.");
        SecretKeySpec secretKeySpec = new SecretKeySpec(bArr, hVar.jcaName);
        t.a.a.b.a.H0(secretKeySpec, "Key argument cannot be null.");
        t.a.a.b.a.H0(hVar, "SignatureAlgorithm cannot be null.");
        if (hVar == h.NONE) {
            throw new u.a.l.a("The 'NONE' signature algorithm does not support cryptographic keys.");
        }
        if (hVar.a()) {
            byte[] encoded = secretKeySpec.getEncoded();
            if (encoded == null) {
                StringBuilder s = j.d.a.a.a.s("The ");
                s.append(h.c(true));
                s.append(" key's encoded bytes cannot be null.");
                throw new u.a.l.a(s.toString());
            }
            String algorithm = secretKeySpec.getAlgorithm();
            if (algorithm == null) {
                StringBuilder s2 = j.d.a.a.a.s("The ");
                s2.append(h.c(true));
                s2.append(" key's algorithm cannot be null.");
                throw new u.a.l.a(s2.toString());
            }
            if (!h.HS256.jcaName.equalsIgnoreCase(algorithm) && !h.HS384.jcaName.equalsIgnoreCase(algorithm) && !h.HS512.jcaName.equalsIgnoreCase(algorithm)) {
                StringBuilder s3 = j.d.a.a.a.s("The ");
                s3.append(h.c(true));
                s3.append(" key's algorithm '");
                s3.append(algorithm);
                s3.append("' does not equal a valid HmacSHA* algorithm name and cannot be used with ");
                s3.append(hVar.name());
                s3.append(".");
                throw new u.a.l.a(s3.toString());
            }
            int length = encoded.length * 8;
            if (length < hVar.minKeyLength) {
                StringBuilder s4 = j.d.a.a.a.s("The ");
                s4.append(h.c(true));
                s4.append(" key's size is ");
                s4.append(length);
                s4.append(" bits which is not secure enough for the ");
                s4.append(hVar.name());
                s4.append(" algorithm.  The JWT JWA Specification (RFC 7518, Section 3.2) states that keys used with ");
                s4.append(hVar.name());
                s4.append(" MUST have a size >= ");
                s4.append(hVar.minKeyLength);
                s4.append(" bits (the key size must be greater than or equal to the hash output size).  Consider using the ");
                s4.append(u.a.l.b.class.getName());
                s4.append(" class's 'secretKeyFor(SignatureAlgorithm.");
                s4.append(hVar.name());
                s4.append(")' method to create a key guaranteed to be secure enough for ");
                s4.append(hVar.name());
                s4.append(".  See https://tools.ietf.org/html/rfc7518#section-3.2 for more information.");
                throw new e(s4.toString());
            }
        } else {
            if (!(secretKeySpec instanceof PrivateKey)) {
                throw new u.a.l.a(j.d.a.a.a.o(new StringBuilder(), hVar.familyName, " signing keys must be PrivateKey instances."));
            }
            if (hVar.familyName.equals("ECDSA")) {
                if (!(secretKeySpec instanceof ECKey)) {
                    throw new u.a.l.a(hVar.familyName + " " + h.c(true) + " keys must be ECKey instances.");
                }
                int bitLength = ((ECKey) secretKeySpec).getParams().getOrder().bitLength();
                if (bitLength < hVar.minKeyLength) {
                    StringBuilder s5 = j.d.a.a.a.s("The ");
                    s5.append(h.c(true));
                    s5.append(" key's size (ECParameterSpec order) is ");
                    s5.append(bitLength);
                    s5.append(" bits which is not secure enough for the ");
                    s5.append(hVar.name());
                    s5.append(" algorithm.  The JWT JWA Specification (RFC 7518, Section 3.4) states that keys used with ");
                    s5.append(hVar.name());
                    s5.append(" MUST have a size >= ");
                    s5.append(hVar.minKeyLength);
                    s5.append(" bits.  Consider using the ");
                    s5.append(u.a.l.b.class.getName());
                    s5.append(" class's 'keyPairFor(SignatureAlgorithm.");
                    s5.append(hVar.name());
                    s5.append(")' method to create a key pair guaranteed to be secure enough for ");
                    s5.append(hVar.name());
                    s5.append(".  See https://tools.ietf.org/html/rfc7518#section-3.4 for more information.");
                    throw new e(s5.toString());
                }
            } else {
                if (!(secretKeySpec instanceof RSAKey)) {
                    throw new u.a.l.a(hVar.familyName + " " + h.c(true) + " keys must be RSAKey instances.");
                }
                int bitLength2 = ((RSAKey) secretKeySpec).getModulus().bitLength();
                if (bitLength2 < hVar.minKeyLength) {
                    String str = hVar.name().startsWith("P") ? "3.5" : "3.3";
                    StringBuilder s6 = j.d.a.a.a.s("The ");
                    s6.append(h.c(true));
                    s6.append(" key's size is ");
                    s6.append(bitLength2);
                    s6.append(" bits which is not secure enough for the ");
                    s6.append(hVar.name());
                    s6.append(" algorithm.  The JWT JWA Specification (RFC 7518, Section ");
                    s6.append(str);
                    s6.append(") states that keys used with ");
                    s6.append(hVar.name());
                    s6.append(" MUST have a size >= ");
                    s6.append(hVar.minKeyLength);
                    s6.append(" bits.  Consider using the ");
                    s6.append(u.a.l.b.class.getName());
                    s6.append(" class's 'keyPairFor(SignatureAlgorithm.");
                    s6.append(hVar.name());
                    s6.append(")' method to create a key pair guaranteed to be secure enough for ");
                    s6.append(hVar.name());
                    s6.append(".  See https://tools.ietf.org/html/rfc7518#section-");
                    s6.append(str);
                    s6.append(" for more information.");
                    throw new e(s6.toString());
                }
            }
        }
        this.c = hVar;
        this.d = secretKeySpec;
        return this;
    }

    public DefaultClaims e() {
        if (this.b == null) {
            this.b = new DefaultClaims();
        }
        return this.b;
    }
}
