package org.keycloak.sdjwt.sdjwtvp;

import com.fasterxml.jackson.databind.JsonNode;
import com.fasterxml.jackson.databind.ObjectMapper;
import com.fasterxml.jackson.databind.node.ObjectNode;
import java.time.Instant;
import java.util.Arrays;
import java.util.Iterator;
import org.hamcrest.CoreMatchers;
import org.hamcrest.MatcherAssert;
import org.junit.Assert;
import org.junit.ClassRule;
import org.junit.Test;
import org.keycloak.common.VerificationException;
import org.keycloak.rule.CryptoInitRule;
import org.keycloak.sdjwt.IssuerSignedJwtVerificationOpts;
import org.keycloak.sdjwt.TestSettings;
import org.keycloak.sdjwt.TestUtils;
import org.keycloak.sdjwt.vp.KeyBindingJWT;
import org.keycloak.sdjwt.vp.KeyBindingJwtVerificationOpts;
import org.keycloak.sdjwt.vp.SdJwtVP;

/* loaded from: input_file:org/keycloak/sdjwt/sdjwtvp/SdJwtVPVerificationTest.class */
public abstract class SdJwtVPVerificationTest {

    @ClassRule
    public static CryptoInitRule cryptoInitRule = new CryptoInitRule();
    static ObjectMapper mapper = new ObjectMapper();
    static TestSettings testSettings = TestSettings.getInstance();

    @Test
    public void testVerif_s20_1_sdjwt_with_kb() throws VerificationException {
        SdJwtVP.of(TestUtils.readFileAsString(getClass(), "sdjwt/s20.1-sdjwt+kb.txt")).verify(defaultIssuerSignedJwtVerificationOpts().build(), defaultKeyBindingJwtVerificationOpts().build());
    }

    @Test
    public void testVerif_s20_8_sdjwt_with_kb__AltCnfCurves() throws VerificationException {
        Iterator it = Arrays.asList("sdjwt/s20.8-sdjwt+kb--es384.txt", "sdjwt/s20.8-sdjwt+kb--es512.txt").iterator();
        while (it.hasNext()) {
            SdJwtVP.of(TestUtils.readFileAsString(getClass(), (String) it.next())).verify(defaultIssuerSignedJwtVerificationOpts().build(), defaultKeyBindingJwtVerificationOpts().build());
        }
    }

    @Test
    public void testVerif_s20_8_sdjwt_with_kb__CnfRSA() throws VerificationException {
        Iterator it = Arrays.asList("sdjwt/s20.8-sdjwt+kb--cnf-rsa-rs256.txt", "sdjwt/s20.8-sdjwt+kb--cnf-rsa-ps256.txt", "sdjwt/s20.8-sdjwt+kb--cnf-rsa-ps384.txt", "sdjwt/s20.8-sdjwt+kb--cnf-rsa-ps512.txt").iterator();
        while (it.hasNext()) {
            SdJwtVP.of(TestUtils.readFileAsString(getClass(), (String) it.next())).verify(defaultIssuerSignedJwtVerificationOpts().build(), defaultKeyBindingJwtVerificationOpts().build());
        }
    }

    @Test
    public void testVerifKeyBindingNotRequired() throws VerificationException {
        SdJwtVP.of(TestUtils.readFileAsString(getClass(), "sdjwt/s6.2-presented-sdjwtvp.txt")).verify(defaultIssuerSignedJwtVerificationOpts().build(), defaultKeyBindingJwtVerificationOpts().withKeyBindingRequired(false).build());
    }

    @Test
    public void testShouldFail_IfExtraDisclosureWithNoDigest() {
        testShouldFailGeneric("sdjwt/s20.6-sdjwt+kb--disclosure-with-no-digest.txt", defaultKeyBindingJwtVerificationOpts().build(), "At least one disclosure is not protected by digest", null);
    }

    @Test
    public void testShouldFail_IfFieldDisclosureLengthIncorrect() {
        testShouldFailGeneric("sdjwt/s20.7-sdjwt+kb--invalid-field-disclosure.txt", defaultKeyBindingJwtVerificationOpts().build(), "A field disclosure must contain exactly three elements", null);
    }

    @Test
    public void testShouldFail_IfArrayElementDisclosureLengthIncorrect() {
        testShouldFailGeneric("sdjwt/s20.7-sdjwt+kb--invalid-array-elt-disclosure.txt", defaultKeyBindingJwtVerificationOpts().build(), "An array element disclosure must contain exactly two elements", null);
    }

    @Test
    public void testShouldFail_IfKeyBindingRequiredAndMissing() {
        testShouldFailGeneric("sdjwt/s6.2-presented-sdjwtvp.txt", defaultKeyBindingJwtVerificationOpts().withKeyBindingRequired(true).build(), "Missing Key Binding JWT", null);
    }

    @Test
    public void testShouldFail_IfKeyBindingJwtSignatureInvalid() {
        testShouldFailGeneric("sdjwt/s20.1-sdjwt+kb--wrong-kb-signature.txt", defaultKeyBindingJwtVerificationOpts().build(), "Key binding JWT invalid", "VerificationException: Invalid jws signature");
    }

    @Test
    public void testShouldFail_IfNoCnfClaim() {
        testShouldFailGeneric("sdjwt/s20.2-sdjwt+kb--no-cnf-claim.txt", defaultKeyBindingJwtVerificationOpts().build(), "No cnf claim in Issuer-signed JWT for key binding", null);
    }

    @Test
    public void testShouldFail_IfWrongKbTyp() {
        testShouldFailGeneric("sdjwt/s20.3-sdjwt+kb--wrong-kb-typ.txt", defaultKeyBindingJwtVerificationOpts().build(), "Key Binding JWT is not of declared typ kb+jwt", null);
    }

    @Test
    public void testShouldFail_IfReplayChecksFail_Nonce() {
        testShouldFailGeneric("sdjwt/s20.1-sdjwt+kb.txt", defaultKeyBindingJwtVerificationOpts().withNonce("abcd").build(), "Key binding JWT: Unexpected `nonce` value", null);
    }

    @Test
    public void testShouldFail_IfReplayChecksFail_Aud() {
        testShouldFailGeneric("sdjwt/s20.1-sdjwt+kb.txt", defaultKeyBindingJwtVerificationOpts().withAud("abcd").build(), "Key binding JWT: Unexpected `aud` value", null);
    }

    @Test
    public void testShouldFail_IfKbSdHashWrongFormat() {
        ObjectNode exampleKbPayload = exampleKbPayload();
        exampleKbPayload.set("sd_hash", mapper.valueToTree(1234));
        testShouldFailGeneric2(exampleKbPayload, defaultKeyBindingJwtVerificationOpts().build(), "Key binding JWT: Claim `sd_hash` missing or not a string", null);
    }

    @Test
    public void testShouldFail_IfKbSdHashInvalid() {
        ObjectNode exampleKbPayload = exampleKbPayload();
        exampleKbPayload.put("sd_hash", "c3FmZHFmZGZlZXNkZmZi");
        testShouldFailGeneric2(exampleKbPayload, defaultKeyBindingJwtVerificationOpts().build(), "Key binding JWT: Invalid `sd_hash` digest", null);
    }

    @Test
    public void testShouldFail_IfKbIssuedInFuture() {
        long epochSecond = Instant.now().getEpochSecond();
        ObjectNode exampleKbPayload = exampleKbPayload();
        exampleKbPayload.set("iat", mapper.valueToTree(Long.valueOf(epochSecond + 1000)));
        testShouldFailGeneric2(exampleKbPayload, defaultKeyBindingJwtVerificationOpts().build(), "Key binding JWT: Invalid `iat` claim", "jwt issued in the future");
    }

    @Test
    public void testShouldFail_IfKbTooOld() {
        ObjectNode exampleKbPayload = exampleKbPayload();
        exampleKbPayload.set("iat", mapper.valueToTree(Long.valueOf(1683000000 - 120)));
        testShouldFailGeneric2(exampleKbPayload, defaultKeyBindingJwtVerificationOpts().withAllowedMaxAge(60).build(), "Key binding JWT is too old", null);
    }

    @Test
    public void testShouldFail_IfKbExpired() {
        long epochSecond = Instant.now().getEpochSecond();
        ObjectNode exampleKbPayload = exampleKbPayload();
        exampleKbPayload.set("exp", mapper.valueToTree(Long.valueOf(epochSecond - 1000)));
        testShouldFailGeneric2(exampleKbPayload, defaultKeyBindingJwtVerificationOpts().withValidateExpirationClaim(true).build(), "Key binding JWT: Invalid `exp` claim", "jwt has expired");
    }

    @Test
    public void testShouldFail_IfKbNotBeforeTimeYet() {
        long epochSecond = Instant.now().getEpochSecond();
        ObjectNode exampleKbPayload = exampleKbPayload();
        exampleKbPayload.set("nbf", mapper.valueToTree(Long.valueOf(epochSecond + 1000)));
        testShouldFailGeneric2(exampleKbPayload, defaultKeyBindingJwtVerificationOpts().withValidateNotBeforeClaim(true).build(), "Key binding JWT: Invalid `nbf` claim", "jwt not valid yet");
    }

    @Test
    public void testShouldFail_IfCnfNotJwk() {
        SdJwtVP of = SdJwtVP.of(TestUtils.readFileAsString(getClass(), "sdjwt/s20.8-sdjwt+kb--cnf-is-not-jwk.txt"));
        Assert.assertEquals("Only cnf/jwk claim supported", ((UnsupportedOperationException) Assert.assertThrows(UnsupportedOperationException.class, () -> {
            of.verify(defaultIssuerSignedJwtVerificationOpts().build(), defaultKeyBindingJwtVerificationOpts().build());
        })).getMessage());
    }

    @Test
    public void testShouldFail_IfCnfJwkCantBeParsed() {
        testShouldFailGeneric("sdjwt/s20.8-sdjwt+kb--cnf-jwk-is-malformed.txt", defaultKeyBindingJwtVerificationOpts().build(), "Malformed or unsupported cnf/jwk claim", null);
    }

    @Test
    public void testShouldFail_IfCnfJwkCantBeParsed2() {
        testShouldFailGeneric("sdjwt/s20.8-sdjwt+kb--cnf-hmac.txt", defaultKeyBindingJwtVerificationOpts().build(), "Malformed or unsupported cnf/jwk claim", null);
    }

    private void testShouldFailGeneric(String str, KeyBindingJwtVerificationOpts keyBindingJwtVerificationOpts, String str2, String str3) {
        SdJwtVP of = SdJwtVP.of(TestUtils.readFileAsString(getClass(), str));
        VerificationException assertThrows = Assert.assertThrows(VerificationException.class, () -> {
            of.verify(defaultIssuerSignedJwtVerificationOpts().build(), keyBindingJwtVerificationOpts);
        });
        Assert.assertEquals(str2, assertThrows.getMessage());
        if (str3 != null) {
            MatcherAssert.assertThat(assertThrows.getCause().getMessage(), CoreMatchers.containsString(str3));
        }
    }

    private void testShouldFailGeneric2(JsonNode jsonNode, KeyBindingJwtVerificationOpts keyBindingJwtVerificationOpts, String str, String str2) {
        KeyBindingJWT from = KeyBindingJWT.from(jsonNode, testSettings.holderSigContext, "kb+jwt");
        String readFileAsString = TestUtils.readFileAsString(getClass(), "sdjwt/s20.1-sdjwt+kb.txt");
        SdJwtVP of = SdJwtVP.of(readFileAsString.substring(0, readFileAsString.lastIndexOf("~") + 1) + from.toJws());
        VerificationException assertThrows = Assert.assertThrows(VerificationException.class, () -> {
            of.verify(defaultIssuerSignedJwtVerificationOpts().build(), keyBindingJwtVerificationOpts);
        });
        Assert.assertEquals(str, assertThrows.getMessage());
        if (str2 != null) {
            Assert.assertEquals(str2, assertThrows.getCause().getMessage());
        }
    }

    private IssuerSignedJwtVerificationOpts.Builder defaultIssuerSignedJwtVerificationOpts() {
        return IssuerSignedJwtVerificationOpts.builder().withVerifier(testSettings.issuerVerifierContext).withValidateIssuedAtClaim(false).withValidateNotBeforeClaim(false);
    }

    private KeyBindingJwtVerificationOpts.Builder defaultKeyBindingJwtVerificationOpts() {
        return KeyBindingJwtVerificationOpts.builder().withKeyBindingRequired(true).withAllowedMaxAge(Integer.MAX_VALUE).withNonce("1234567890").withAud("https://verifier.example.org").withValidateExpirationClaim(false).withValidateNotBeforeClaim(false);
    }

    private ObjectNode exampleKbPayload() {
        ObjectNode createObjectNode = mapper.createObjectNode();
        createObjectNode.put("nonce", "1234567890");
        createObjectNode.put("aud", "https://verifier.example.org");
        createObjectNode.put("sd_hash", "X9RrrfWt_70gHzOcovGSIt4Fms9Tf2g2hjlWVI_cxZg");
        createObjectNode.set("iat", mapper.valueToTree(1702315679));
        return createObjectNode;
    }
}
