package uk.gov.di.ipv.cri.common.library.service;

import com.nimbusds.jose.JOSEException;
import com.nimbusds.jose.JWSAlgorithm;
import com.nimbusds.jose.crypto.ECDSAVerifier;
import com.nimbusds.jose.crypto.RSASSAVerifier;
import com.nimbusds.jose.crypto.impl.ECDSA;
import com.nimbusds.jose.jwk.ECKey;
import com.nimbusds.jose.proc.SecurityContext;
import com.nimbusds.jose.util.Base64URL;
import com.nimbusds.jwt.JWTClaimsSet;
import com.nimbusds.jwt.SignedJWT;
import com.nimbusds.jwt.proc.BadJWTException;
import com.nimbusds.jwt.proc.DefaultJWTClaimsVerifier;
import com.nimbusds.oauth2.sdk.id.ClientID;
import java.io.ByteArrayInputStream;
import java.security.PublicKey;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.interfaces.ECPublicKey;
import java.security.interfaces.RSAPublicKey;
import java.text.ParseException;
import java.util.Base64;
import java.util.Map;
import java.util.Set;
import uk.gov.di.ipv.cri.common.library.exception.ClientConfigurationException;
import uk.gov.di.ipv.cri.common.library.exception.SessionValidationException;

/* loaded from: input_file:uk/gov/di/ipv/cri/common/library/service/JWTVerifier.class */
public class JWTVerifier {
    public void verifyAuthorizationJWT(Map<String, String> map, SignedJWT signedJWT) throws SessionValidationException, ClientConfigurationException {
        verifyJWT(map, signedJWT, Set.of("exp", "sub", "nbf"), new JWTClaimsSet.Builder().issuer(map.get("issuer")).audience(map.get("audience")).build());
    }

    public void verifyAccessTokenJWT(Map<String, String> map, SignedJWT signedJWT, ClientID clientID) throws SessionValidationException, ClientConfigurationException {
        verifyJWT(map, signedJWT, Set.of("exp", "sub", "iss", "aud", "jti"), new JWTClaimsSet.Builder().issuer(clientID.getValue()).subject(clientID.getValue()).audience(map.get("audience")).build());
    }

    private void verifyJWT(Map<String, String> map, SignedJWT signedJWT, Set<String> set, JWTClaimsSet jWTClaimsSet) throws SessionValidationException, ClientConfigurationException {
        verifyJWTHeader(map, signedJWT);
        verifyJWTClaimsSet(signedJWT, set, jWTClaimsSet);
        verifyJWTSignature(map, signedJWT);
    }

    private void verifyJWTHeader(Map<String, String> map, SignedJWT signedJWT) throws SessionValidationException {
        JWSAlgorithm parse = JWSAlgorithm.parse(map.get("authenticationAlg"));
        JWSAlgorithm algorithm = signedJWT.getHeader().getAlgorithm();
        if (algorithm != parse) {
            throw new SessionValidationException(String.format("jwt signing algorithm %s does not match signing algorithm configured for client: %s", algorithm, parse));
        }
    }

    private void verifyJWTSignature(Map<String, String> map, SignedJWT signedJWT) throws SessionValidationException, ClientConfigurationException {
        try {
            if (verifySignature(signatureIsDerFormat(signedJWT) ? transcodeSignature(signedJWT) : signedJWT, getPublicKeyFromConfig(map.get("publicSigningJwkBase64"), signedJWT.getHeader().getAlgorithm()))) {
            } else {
                throw new SessionValidationException("JWT signature verification failed");
            }
        } catch (CertificateException e) {
            throw new ClientConfigurationException("Certificate problem encountered", e);
        } catch (JOSEException | ParseException e2) {
            throw new SessionValidationException("JWT signature verification failed", e2);
        }
    }

    private boolean signatureIsDerFormat(SignedJWT signedJWT) throws JOSEException {
        return signedJWT.getSignature().decode().length != ECDSA.getSignatureByteArrayLength(JWSAlgorithm.ES256);
    }

    private SignedJWT transcodeSignature(SignedJWT signedJWT) throws JOSEException, ParseException {
        Base64URL encode = Base64URL.encode(ECDSA.transcodeSignatureToConcat(signedJWT.getSignature().decode(), ECDSA.getSignatureByteArrayLength(JWSAlgorithm.ES256)));
        String[] split = signedJWT.serialize().split("\\.");
        return SignedJWT.parse(String.format("%s.%s.%s", split[0], split[1], encode));
    }

    private void verifyJWTClaimsSet(SignedJWT signedJWT, Set<String> set, JWTClaimsSet jWTClaimsSet) throws SessionValidationException {
        try {
            new DefaultJWTClaimsVerifier(jWTClaimsSet, set).verify(signedJWT.getJWTClaimsSet(), (SecurityContext) null);
        } catch (BadJWTException | ParseException e) {
            throw new SessionValidationException(e.getMessage(), e);
        }
    }

    private PublicKey getPublicKeyFromConfig(String str, JWSAlgorithm jWSAlgorithm) throws CertificateException, ParseException, JOSEException {
        if (JWSAlgorithm.Family.RSA.contains(jWSAlgorithm)) {
            return CertificateFactory.getInstance("X.509").generateCertificate(new ByteArrayInputStream(Base64.getDecoder().decode(str))).getPublicKey();
        }
        if (JWSAlgorithm.Family.EC.contains(jWSAlgorithm)) {
            return ECKey.parse(new String(Base64.getDecoder().decode(str))).toECPublicKey();
        }
        throw new IllegalArgumentException("Unexpected signing algorithm encountered: " + jWSAlgorithm.getName());
    }

    private boolean verifySignature(SignedJWT signedJWT, PublicKey publicKey) throws JOSEException, ClientConfigurationException {
        if (publicKey instanceof RSAPublicKey) {
            return signedJWT.verify(new RSASSAVerifier((RSAPublicKey) publicKey));
        }
        if (publicKey instanceof ECPublicKey) {
            return signedJWT.verify(new ECDSAVerifier((ECPublicKey) publicKey));
        }
        throw new ClientConfigurationException(new IllegalStateException("unknown public signing key: " + publicKey.getAlgorithm()));
    }
}
