package org.keycloak.sdjwt;

import com.fasterxml.jackson.databind.JsonNode;
import com.fasterxml.jackson.databind.node.ArrayNode;
import com.fasterxml.jackson.databind.node.ObjectNode;
import java.time.Instant;
import java.util.AbstractMap;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.Set;
import java.util.stream.Collectors;
import org.keycloak.common.VerificationException;
import org.keycloak.crypto.Algorithm;
import org.keycloak.crypto.AsymmetricSignatureVerifierContext;
import org.keycloak.crypto.ECDSASignatureVerifierContext;
import org.keycloak.crypto.KeyWrapper;
import org.keycloak.crypto.SignatureVerifierContext;
import org.keycloak.jose.jwk.JWK;
import org.keycloak.representations.IDToken;
import org.keycloak.representations.docker.DockerAccess;
import org.keycloak.sdjwt.vp.KeyBindingJWT;
import org.keycloak.sdjwt.vp.KeyBindingJwtVerificationOpts;
import org.keycloak.util.JWKSUtils;

/* loaded from: input_file:org/keycloak/sdjwt/SdJwtVerificationContext.class */
public class SdJwtVerificationContext {
    private String sdJwtVpString;
    private final IssuerSignedJWT issuerSignedJwt;
    private final Map<String, String> disclosures;
    private KeyBindingJWT keyBindingJwt;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/keycloak/sdjwt/SdJwtVerificationContext$DisclosureFields.class */
    public static class DisclosureFields {
        String saltValue;
        String claimName;
        JsonNode claimValue;

        public DisclosureFields(String str, String str2, JsonNode jsonNode) {
            this.saltValue = str;
            this.claimName = str2;
            this.claimValue = jsonNode;
        }

        public String getSaltValue() {
            return this.saltValue;
        }

        public String getClaimName() {
            return this.claimName;
        }

        public JsonNode getClaimValue() {
            return this.claimValue;
        }
    }

    public SdJwtVerificationContext(String str, IssuerSignedJWT issuerSignedJWT, Map<String, String> map, KeyBindingJWT keyBindingJWT) {
        this(issuerSignedJWT, map);
        this.keyBindingJwt = keyBindingJWT;
        this.sdJwtVpString = str;
    }

    public SdJwtVerificationContext(IssuerSignedJWT issuerSignedJWT, Map<String, String> map) {
        this.issuerSignedJwt = issuerSignedJWT;
        this.disclosures = map;
    }

    public SdJwtVerificationContext(IssuerSignedJWT issuerSignedJWT, List<String> list) {
        this.issuerSignedJwt = issuerSignedJWT;
        this.disclosures = computeDigestDisclosureMap(list);
    }

    private Map<String, String> computeDigestDisclosureMap(List<String> list) {
        return (Map) list.stream().map(str -> {
            return new AbstractMap.SimpleEntry(SdJwtUtils.hashAndBase64EncodeNoPad(str.getBytes(), this.issuerSignedJwt.getSdHashAlg()), str);
        }).collect(Collectors.toMap((v0) -> {
            return v0.getKey();
        }, (v0) -> {
            return v0.getValue();
        }));
    }

    public void verifyIssuance(IssuerSignedJwtVerificationOpts issuerSignedJwtVerificationOpts) throws VerificationException {
        validateIssuerSignedJwt(issuerSignedJwtVerificationOpts.getVerifier());
        validateIssuerSignedJwtTimeClaims(validateDisclosuresDigests(), issuerSignedJwtVerificationOpts);
    }

    public void verifyPresentation(IssuerSignedJwtVerificationOpts issuerSignedJwtVerificationOpts, KeyBindingJwtVerificationOpts keyBindingJwtVerificationOpts) throws VerificationException {
        if (keyBindingJwtVerificationOpts.isKeyBindingRequired() && this.keyBindingJwt == null) {
            throw new VerificationException("Missing Key Binding JWT");
        }
        verifyIssuance(issuerSignedJwtVerificationOpts);
        if (keyBindingJwtVerificationOpts.isKeyBindingRequired()) {
            validateKeyBindingJwt(keyBindingJwtVerificationOpts);
        }
    }

    private void validateIssuerSignedJwt(SignatureVerifierContext signatureVerifierContext) throws VerificationException {
        this.issuerSignedJwt.verifySdHashAlgorithm();
        try {
            this.issuerSignedJwt.verifySignature(signatureVerifierContext);
        } catch (VerificationException e) {
            throw new VerificationException("Invalid Issuer-Signed JWT", e);
        }
    }

    private void validateKeyBindingJwt(KeyBindingJwtVerificationOpts keyBindingJwtVerificationOpts) throws VerificationException {
        validateKeyBindingJwtTyp();
        try {
            this.keyBindingJwt.verifySignature(buildHolderVerifier(this.issuerSignedJwt.getCnfClaim().orElseThrow(() -> {
                return new VerificationException("No cnf claim in Issuer-signed JWT for key binding");
            })));
            validateKeyBindingJwtTimeClaims(keyBindingJwtVerificationOpts);
            preventKeyBindingJwtReplay(keyBindingJwtVerificationOpts);
            validateKeyBindingJwtSdHashIntegrity();
        } catch (VerificationException e) {
            throw new VerificationException("Key binding JWT invalid", e);
        }
    }

    private void validateKeyBindingJwtTyp() throws VerificationException {
        if (!this.keyBindingJwt.getHeader().getType().equals(KeyBindingJWT.TYP)) {
            throw new VerificationException("Key Binding JWT is not of declared typ kb+jwt");
        }
    }

    private SignatureVerifierContext buildHolderVerifier(JsonNode jsonNode) throws VerificationException {
        Objects.requireNonNull(jsonNode);
        JsonNode jsonNode2 = jsonNode.get("jwk");
        if (jsonNode2 == null) {
            throw new UnsupportedOperationException("Only cnf/jwk claim supported");
        }
        try {
            KeyWrapper keyWrapper = JWKSUtils.getKeyWrapper((JWK) SdJwtUtils.mapper.convertValue(jsonNode2, JWK.class));
            Objects.requireNonNull(keyWrapper);
            if (!keyWrapper.getType().equals("EC")) {
                if (keyWrapper.getType().equals("RSA")) {
                    return new AsymmetricSignatureVerifierContext(keyWrapper);
                }
                throw new VerificationException("cnf/jwk alg is unsupported or deemed not secure");
            }
            if (keyWrapper.getAlgorithm() == null) {
                Objects.requireNonNull(keyWrapper.getCurve());
                String str = null;
                String curve = keyWrapper.getCurve();
                boolean z = -1;
                switch (curve.hashCode()) {
                    case 75272022:
                        if (curve.equals("P-256")) {
                            z = false;
                            break;
                        }
                        break;
                    case 75273074:
                        if (curve.equals("P-384")) {
                            z = true;
                            break;
                        }
                        break;
                    case 75274807:
                        if (curve.equals("P-521")) {
                            z = 2;
                            break;
                        }
                        break;
                }
                switch (z) {
                    case DockerAccess.ACCESS_TYPE /* 0 */:
                        str = Algorithm.ES256;
                        break;
                    case DockerAccess.REPOSITORY_NAME /* 1 */:
                        str = Algorithm.ES384;
                        break;
                    case DockerAccess.PERMISSIONS /* 2 */:
                        str = Algorithm.ES512;
                        break;
                }
                keyWrapper.setAlgorithm(str);
            }
            return new ECDSASignatureVerifierContext(keyWrapper);
        } catch (Exception e) {
            throw new VerificationException("Malformed or unsupported cnf/jwk claim");
        }
    }

    private void validateIssuerSignedJwtTimeClaims(JsonNode jsonNode, IssuerSignedJwtVerificationOpts issuerSignedJwtVerificationOpts) throws VerificationException {
        long epochSecond = Instant.now().getEpochSecond();
        try {
            if (issuerSignedJwtVerificationOpts.mustValidateIssuedAtClaim() && epochSecond < SdJwtUtils.readTimeClaim(jsonNode, "iat")) {
                throw new VerificationException("JWT issued in the future");
            }
            try {
                if (issuerSignedJwtVerificationOpts.mustValidateExpirationClaim() && epochSecond >= SdJwtUtils.readTimeClaim(jsonNode, "exp")) {
                    throw new VerificationException("JWT has expired");
                }
                try {
                    if (!issuerSignedJwtVerificationOpts.mustValidateNotBeforeClaim() || epochSecond >= SdJwtUtils.readTimeClaim(jsonNode, "nbf")) {
                    } else {
                        throw new VerificationException("JWT is not yet valid");
                    }
                } catch (VerificationException e) {
                    throw new VerificationException("Issuer-Signed JWT: Invalid `nbf` claim", e);
                }
            } catch (VerificationException e2) {
                throw new VerificationException("Issuer-Signed JWT: Invalid `exp` claim", e2);
            }
        } catch (VerificationException e3) {
            throw new VerificationException("Issuer-Signed JWT: Invalid `iat` claim", e3);
        }
    }

    private void validateKeyBindingJwtTimeClaims(KeyBindingJwtVerificationOpts keyBindingJwtVerificationOpts) throws VerificationException {
        try {
            this.keyBindingJwt.verifyIssuedAtClaim();
            try {
                this.keyBindingJwt.verifyAge(keyBindingJwtVerificationOpts.getAllowedMaxAge());
                try {
                    if (keyBindingJwtVerificationOpts.mustValidateExpirationClaim()) {
                        this.keyBindingJwt.verifyExpClaim();
                    }
                    try {
                        if (keyBindingJwtVerificationOpts.mustValidateNotBeforeClaim()) {
                            this.keyBindingJwt.verifyNotBeforeClaim();
                        }
                    } catch (VerificationException e) {
                        throw new VerificationException("Key binding JWT: Invalid `nbf` claim", e);
                    }
                } catch (VerificationException e2) {
                    throw new VerificationException("Key binding JWT: Invalid `exp` claim", e2);
                }
            } catch (VerificationException e3) {
                throw new VerificationException("Key binding JWT is too old");
            }
        } catch (VerificationException e4) {
            throw new VerificationException("Key binding JWT: Invalid `iat` claim", e4);
        }
    }

    private JsonNode validateDisclosuresDigests() throws VerificationException {
        HashSet hashSet = new HashSet();
        HashSet hashSet2 = new HashSet();
        HashSet hashSet3 = new HashSet();
        JsonNode validateViaRecursiveDisclosing = validateViaRecursiveDisclosing(SdJwtUtils.deepClone(this.issuerSignedJwt.getPayload()), hashSet, hashSet2, hashSet3);
        validateDisclosuresVisits(hashSet3);
        return validateViaRecursiveDisclosing;
    }

    private JsonNode validateViaRecursiveDisclosing(JsonNode jsonNode, Set<String> set, Set<String> set2, Set<String> set3) throws VerificationException {
        if (!jsonNode.isObject() && !jsonNode.isArray()) {
            return jsonNode;
        }
        if (jsonNode.isObject()) {
            ObjectNode objectNode = (ObjectNode) jsonNode;
            JsonNode jsonNode2 = objectNode.get(IssuerSignedJWT.CLAIM_NAME_SELECTIVE_DISCLOSURE);
            if (jsonNode2 != null && jsonNode2.isArray()) {
                Iterator it = jsonNode2.iterator();
                while (it.hasNext()) {
                    JsonNode jsonNode3 = (JsonNode) it.next();
                    if (!jsonNode3.isTextual()) {
                        throw new VerificationException("Unexpected non-string element inside _sd array: " + jsonNode3);
                    }
                    String asText = jsonNode3.asText();
                    markDigestAsVisited(asText, set2);
                    String str = this.disclosures.get(asText);
                    if (str != null) {
                        set3.add(str);
                        DisclosureFields validateSdArrayDigestDisclosureFormat = validateSdArrayDigestDisclosureFormat(str);
                        markSaltAsVisited(validateSdArrayDigestDisclosureFormat.getSaltValue(), set);
                        objectNode.set(validateSdArrayDigestDisclosureFormat.getClaimName(), validateSdArrayDigestDisclosureFormat.getClaimValue());
                    }
                }
            }
            objectNode.remove(IssuerSignedJWT.CLAIM_NAME_SELECTIVE_DISCLOSURE);
            objectNode.remove(IssuerSignedJWT.CLAIM_NAME_SD_HASH_ALGORITHM);
        }
        if (jsonNode.isArray()) {
            ArrayNode arrayNode = (ArrayNode) jsonNode;
            ArrayList arrayList = new ArrayList();
            for (int i = 0; i < arrayNode.size(); i++) {
                JsonNode jsonNode4 = arrayNode.get(i);
                if (jsonNode4.isObject() && jsonNode4.size() == 1) {
                    Map.Entry entry = (Map.Entry) jsonNode4.fields().next();
                    if (((String) entry.getKey()).equals(UndisclosedArrayElement.SD_CLAIM_NAME) && ((JsonNode) entry.getValue()).isTextual()) {
                        String asText2 = ((JsonNode) entry.getValue()).asText();
                        markDigestAsVisited(asText2, set2);
                        String str2 = this.disclosures.get(asText2);
                        if (str2 != null) {
                            set3.add(str2);
                            DisclosureFields validateArrayElementDigestDisclosureFormat = validateArrayElementDigestDisclosureFormat(str2);
                            markSaltAsVisited(validateArrayElementDigestDisclosureFormat.getSaltValue(), set);
                            arrayNode.set(i, validateArrayElementDigestDisclosureFormat.getClaimValue());
                        } else {
                            arrayList.add(Integer.valueOf(i));
                        }
                    }
                }
            }
            Objects.requireNonNull(arrayNode);
            arrayList.forEach((v1) -> {
                r1.remove(v1);
            });
        }
        Iterator it2 = jsonNode.iterator();
        while (it2.hasNext()) {
            validateViaRecursiveDisclosing((JsonNode) it2.next(), set, set2, set3);
        }
        return jsonNode;
    }

    private void markDigestAsVisited(String str, Set<String> set) throws VerificationException {
        if (!set.add(str)) {
            throw new VerificationException("A digest was encountered more than once: " + str);
        }
    }

    private void markSaltAsVisited(String str, Set<String> set) throws VerificationException {
        if (!set.add(str)) {
            throw new VerificationException("A salt value was reused: " + str);
        }
    }

    private DisclosureFields validateSdArrayDigestDisclosureFormat(String str) throws VerificationException {
        ArrayNode decodeDisclosureString = SdJwtUtils.decodeDisclosureString(str);
        if (decodeDisclosureString.size() != 3) {
            throw new VerificationException("A field disclosure must contain exactly three elements");
        }
        List asList = Arrays.asList(IssuerSignedJWT.CLAIM_NAME_SELECTIVE_DISCLOSURE, UndisclosedArrayElement.SD_CLAIM_NAME);
        String asText = decodeDisclosureString.get(1).asText();
        if (asList.contains(asText)) {
            throw new VerificationException("Disclosure claim name must not be '_sd' or '...'");
        }
        return new DisclosureFields(decodeDisclosureString.get(0).asText(), asText, decodeDisclosureString.get(2));
    }

    private DisclosureFields validateArrayElementDigestDisclosureFormat(String str) throws VerificationException {
        ArrayNode decodeDisclosureString = SdJwtUtils.decodeDisclosureString(str);
        if (decodeDisclosureString.size() != 2) {
            throw new VerificationException("An array element disclosure must contain exactly two elements");
        }
        return new DisclosureFields(decodeDisclosureString.get(0).asText(), null, decodeDisclosureString.get(1));
    }

    private void validateDisclosuresVisits(Set<String> set) throws VerificationException {
        if (set.size() < this.disclosures.size()) {
            throw new VerificationException("At least one disclosure is not protected by digest");
        }
    }

    private void preventKeyBindingJwtReplay(KeyBindingJwtVerificationOpts keyBindingJwtVerificationOpts) throws VerificationException {
        JsonNode jsonNode = this.keyBindingJwt.getPayload().get(IDToken.NONCE);
        if (jsonNode == null || !jsonNode.isTextual() || !jsonNode.asText().equals(keyBindingJwtVerificationOpts.getNonce())) {
            throw new VerificationException("Key binding JWT: Unexpected `nonce` value");
        }
        JsonNode jsonNode2 = this.keyBindingJwt.getPayload().get("aud");
        if (jsonNode2 == null || !jsonNode2.isTextual() || !jsonNode2.asText().equals(keyBindingJwtVerificationOpts.getAud())) {
            throw new VerificationException("Key binding JWT: Unexpected `aud` value");
        }
    }

    private void validateKeyBindingJwtSdHashIntegrity() throws VerificationException {
        Objects.requireNonNull(this.sdJwtVpString);
        JsonNode jsonNode = this.keyBindingJwt.getPayload().get("sd_hash");
        if (jsonNode == null || !jsonNode.isTextual()) {
            throw new VerificationException("Key binding JWT: Claim `sd_hash` missing or not a string");
        }
        if (!SdJwtUtils.hashAndBase64EncodeNoPad(this.sdJwtVpString.substring(0, this.sdJwtVpString.lastIndexOf(SdJwt.DELIMITER) + 1).getBytes(), this.issuerSignedJwt.getSdHashAlg()).equals(jsonNode.asText())) {
            throw new VerificationException("Key binding JWT: Invalid `sd_hash` digest");
        }
    }
}
