package de.fhg.aisec.ids.idscp2.daps.aisecdaps;

import de.fhg.aisec.ids.idscp2.api.FingerprintUtilsKt;
import de.fhg.aisec.ids.idscp2.api.drivers.DapsDriver;
import de.fhg.aisec.ids.idscp2.api.drivers.VerifiedDat;
import de.fhg.aisec.ids.idscp2.api.error.DatException;
import de.fhg.aisec.ids.idscp2.keystores.PreConfiguration;
import io.jsonwebtoken.JwtBuilder;
import io.jsonwebtoken.Jwts;
import io.ktor.client.HttpClient;
import io.ktor.client.HttpClientConfig;
import io.ktor.client.HttpClientKt;
import io.ktor.client.engine.HttpClientEngineFactory;
import io.ktor.client.engine.java.Java;
import io.ktor.client.engine.java.JavaHttpConfig;
import io.ktor.client.plugins.HttpRequestRetry;
import io.ktor.client.plugins.HttpTimeout;
import io.ktor.client.plugins.cache.HttpCache;
import io.ktor.client.plugins.contentnegotiation.ContentNegotiation;
import io.ktor.client.request.HttpRequestBuilder;
import io.ktor.http.ContentType;
import io.ktor.http.Headers;
import io.ktor.http.HttpStatusCode;
import io.ktor.serialization.Configuration;
import io.ktor.serialization.jackson.JacksonConverterKt;
import java.net.URI;
import java.net.http.HttpClient;
import java.nio.charset.Charset;
import java.nio.charset.StandardCharsets;
import java.security.Key;
import java.security.KeyManagementException;
import java.security.NoSuchAlgorithmException;
import java.security.cert.X509Certificate;
import java.time.Instant;
import java.util.Collections;
import java.util.Date;
import java.util.LinkedHashMap;
import java.util.List;
import java.util.Locale;
import java.util.Map;
import java.util.Set;
import java.util.concurrent.locks.ReentrantLock;
import javax.net.ssl.SSLContext;
import javax.net.ssl.TrustManager;
import kotlin.Metadata;
import kotlin.Triple;
import kotlin.Unit;
import kotlin.collections.CollectionsKt;
import kotlin.jvm.functions.Function1;
import kotlin.jvm.functions.Function3;
import kotlin.jvm.internal.DefaultConstructorMarker;
import kotlin.jvm.internal.Intrinsics;
import kotlin.text.Charsets;
import kotlinx.coroutines.BuildersKt;
import kotlinx.coroutines.Dispatchers;
import org.bouncycastle.asn1.ASN1OctetString;
import org.bouncycastle.asn1.x509.AuthorityKeyIdentifier;
import org.bouncycastle.asn1.x509.Extension;
import org.bouncycastle.asn1.x509.SubjectKeyIdentifier;
import org.jetbrains.annotations.NotNull;
import org.jetbrains.annotations.Nullable;
import org.jose4j.http.SimpleResponse;
import org.jose4j.jwa.AlgorithmConstraints;
import org.jose4j.jwk.HttpsJwks;
import org.jose4j.jwt.JwtClaims;
import org.jose4j.jwt.NumericDate;
import org.jose4j.jwt.consumer.JwtConsumer;
import org.jose4j.jwt.consumer.JwtConsumerBuilder;
import org.jose4j.keys.resolvers.HttpsJwksVerificationKeyResolver;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* compiled from: AisecDapsDriver.kt */
@Metadata(mv = {1, 9, 0}, k = 1, xi = 48, d1 = {"��r\n\u0002\u0018\u0002\n\u0002\u0018\u0002\n��\n\u0002\u0018\u0002\n\u0002\b\u0002\n\u0002\u0010\u000e\n��\n\u0002\u0010\u0012\n��\n\u0002\u0018\u0002\n��\n\u0002\u0010\t\n\u0002\b\u0002\n\u0002\u0018\u0002\n\u0002\b\u0002\n\u0002\u0018\u0002\n��\n\u0002\u0018\u0002\n��\n\u0002\u0018\u0002\n��\n\u0002\u0010\u0007\n\u0002\b\u0003\n\u0002\u0018\u0002\n��\n\u0002\u0018\u0002\n��\n\u0002\u0018\u0002\n\u0002\b\u0007\n\u0002\u0018\u0002\n\u0002\b\u0003\n\u0002\u0010\u000b\n\u0002\b\u0003\u0018�� .2\u00020\u0001:\u0001.B\r\u0012\u0006\u0010\u0002\u001a\u00020\u0003¢\u0006\u0002\u0010\u0004J\u0010\u0010$\u001a\u00020\u00062\u0006\u0010%\u001a\u00020\u0012H\u0002J\b\u0010&\u001a\u00020\nH\u0002J6\u0010'\u001a\u00020(2\u0006\u0010)\u001a\u00020\b2\b\u0010\u001d\u001a\u0004\u0018\u00010\u001e2\b\u0010*\u001a\u0004\u0018\u00010\u00062\u0006\u0010+\u001a\u00020,2\b\b\u0002\u0010\t\u001a\u00020\nH\u0002J\u0018\u0010-\u001a\u00020(2\u0006\u0010)\u001a\u00020\b2\u0006\u0010*\u001a\u00020\u0006H\u0016R\u000e\u0010\u0002\u001a\u00020\u0003X\u0082\u0004¢\u0006\u0002\n��R\u000e\u0010\u0005\u001a\u00020\u0006X\u0082\u0004¢\u0006\u0002\n��R\u000e\u0010\u0007\u001a\u00020\bX\u0082\u000e¢\u0006\u0002\n��R\u0010\u0010\t\u001a\u0004\u0018\u00010\nX\u0082\u000e¢\u0006\u0002\n��R\u000e\u0010\u000b\u001a\u00020\fX\u0082\u000e¢\u0006\u0002\n��R\u000e\u0010\r\u001a\u00020\u0006X\u0082\u0004¢\u0006\u0002\n��R\u0016\u0010\u000e\u001a\n \u0010*\u0004\u0018\u00010\u000f0\u000fX\u0082\u0004¢\u0006\u0002\n��R\u000e\u0010\u0011\u001a\u00020\u0012X\u0082\u0004¢\u0006\u0002\n��R\u000e\u0010\u0013\u001a\u00020\u0014X\u0082\u0004¢\u0006\u0002\n��R\u000e\u0010\u0015\u001a\u00020\u0016X\u0082\u0004¢\u0006\u0002\n��R\u0014\u0010\u0017\u001a\u00020\u0018X\u0096\u0004¢\u0006\b\n��\u001a\u0004\b\u0019\u0010\u001aR\u000e\u0010\u001b\u001a\u00020\u001cX\u0082\u000e¢\u0006\u0002\n��R\u0010\u0010\u001d\u001a\u0004\u0018\u00010\u001eX\u0082\u000e¢\u0006\u0002\n��R\u000e\u0010\u001f\u001a\u00020 X\u0082\u0004¢\u0006\u0002\n��R\u0014\u0010!\u001a\u00020\b8VX\u0096\u0004¢\u0006\u0006\u001a\u0004\b\"\u0010#¨\u0006/"}, d2 = {"Lde/fhg/aisec/ids/idscp2/daps/aisecdaps/AisecDapsDriver;", "Lde/fhg/aisec/ids/idscp2/api/drivers/DapsDriver;", "config", "Lde/fhg/aisec/ids/idscp2/daps/aisecdaps/AisecDapsDriverConfig;", "(Lde/fhg/aisec/ids/idscp2/daps/aisecdaps/AisecDapsDriverConfig;)V", "connectorUUID", "", "currentToken", "", "dapsMeta", "Lde/fhg/aisec/ids/idscp2/daps/aisecdaps/DapsMeta;", "dapsMetaExpire", "", "dapsUrl", "httpClient", "Lio/ktor/client/HttpClient;", "kotlin.jvm.PlatformType", "localPeerCertificate", "Ljava/security/cert/X509Certificate;", "privateKey", "Ljava/security/Key;", "renewalLock", "Ljava/util/concurrent/locks/ReentrantLock;", "renewalThreshold", "", "getRenewalThreshold", "()F", "renewalTime", "Lorg/jose4j/jwt/NumericDate;", "securityRequirements", "Lde/fhg/aisec/ids/idscp2/daps/aisecdaps/SecurityRequirements;", "sslContext", "Ljavax/net/ssl/SSLContext;", "token", "getToken", "()[B", "extractConnectorUUID", "certificate", "getDapsMeta", "innerVerifyToken", "Lde/fhg/aisec/ids/idscp2/api/drivers/VerifiedDat;", "dat", "peerCertificateFingerprint", "setCurrentToken", "", "verifyToken", "Companion", "idscp2-daps-aisec"})
/* loaded from: input_file:de/fhg/aisec/ids/idscp2/daps/aisecdaps/AisecDapsDriver.class */
public final class AisecDapsDriver implements DapsDriver {

    @NotNull
    private final AisecDapsDriverConfig config;

    @Nullable
    private SecurityRequirements securityRequirements;

    @NotNull
    private final Key privateKey;

    @NotNull
    private final String dapsUrl;

    @NotNull
    private final X509Certificate localPeerCertificate;

    @NotNull
    private final String connectorUUID;

    @NotNull
    private byte[] currentToken;

    @NotNull
    private NumericDate renewalTime;
    private final float renewalThreshold;

    @NotNull
    private final ReentrantLock renewalLock;

    @NotNull
    private final SSLContext sslContext;
    private final HttpClient httpClient;

    @Nullable
    private DapsMeta dapsMeta;
    private long dapsMetaExpire;

    @NotNull
    private static final String TARGET_AUDIENCE = "idsc:IDS_CONNECTORS_ALL";
    private static final long META_FALLBACK_LIFETIME_MS = 86400000;

    @NotNull
    public static final Companion Companion = new Companion(null);
    private static final Logger LOG = LoggerFactory.getLogger(AisecDapsDriver.class);
    private static final Map<TrustManager, HttpClient> HTTP_CLIENTS = Collections.synchronizedMap(new LinkedHashMap());

    /* compiled from: AisecDapsDriver.kt */
    @Metadata(mv = {1, 9, 0}, k = 1, xi = 48, d1 = {"��2\n\u0002\u0018\u0002\n\u0002\u0010��\n\u0002\b\u0002\n\u0002\u0010%\n\u0002\u0018\u0002\n��\n\u0002\u0018\u0002\n\u0002\u0010$\n��\n\u0002\u0018\u0002\n��\n\u0002\u0010\t\n��\n\u0002\u0010\u000e\n��\b\u0086\u0003\u0018��2\u00020\u0001B\u0007\b\u0002¢\u0006\u0002\u0010\u0002RN\u0010\u0003\u001aB\u0012\f\u0012\n \u0006*\u0004\u0018\u00010\u00050\u0005\u0012\f\u0012\n \u0006*\u0004\u0018\u00010\u00070\u0007 \u0006* \u0012\f\u0012\n \u0006*\u0004\u0018\u00010\u00050\u0005\u0012\f\u0012\n \u0006*\u0004\u0018\u00010\u00070\u0007\u0018\u00010\b0\u0004X\u0082\u0004¢\u0006\u0002\n��R\u0016\u0010\t\u001a\n \u0006*\u0004\u0018\u00010\n0\nX\u0082\u0004¢\u0006\u0002\n��R\u000e\u0010\u000b\u001a\u00020\fX\u0082T¢\u0006\u0002\n��R\u000e\u0010\r\u001a\u00020\u000eX\u0082T¢\u0006\u0002\n��¨\u0006\u000f"}, d2 = {"Lde/fhg/aisec/ids/idscp2/daps/aisecdaps/AisecDapsDriver$Companion;", "", "()V", "HTTP_CLIENTS", "", "Ljavax/net/ssl/TrustManager;", "kotlin.jvm.PlatformType", "Lio/ktor/client/HttpClient;", "", "LOG", "Lorg/slf4j/Logger;", "META_FALLBACK_LIFETIME_MS", "", "TARGET_AUDIENCE", "", "idscp2-daps-aisec"})
    /* loaded from: input_file:de/fhg/aisec/ids/idscp2/daps/aisecdaps/AisecDapsDriver$Companion.class */
    public static final class Companion {
        private Companion() {
        }

        public /* synthetic */ Companion(DefaultConstructorMarker defaultConstructorMarker) {
            this();
        }
    }

    public AisecDapsDriver(@NotNull AisecDapsDriverConfig aisecDapsDriverConfig) {
        Intrinsics.checkNotNullParameter(aisecDapsDriverConfig, "config");
        this.config = aisecDapsDriverConfig;
        this.securityRequirements = this.config.getSecurityRequirements();
        this.privateKey = PreConfiguration.INSTANCE.getKey(this.config.getKeyStorePath(), this.config.getKeyStorePassword(), this.config.getKeyAlias(), this.config.getKeyPassword());
        this.dapsUrl = this.config.getDapsUrl();
        this.localPeerCertificate = PreConfiguration.INSTANCE.getCertificate(this.config.getKeyStorePath(), this.config.getKeyStorePassword(), this.config.getKeyAlias());
        this.connectorUUID = extractConnectorUUID(this.localPeerCertificate);
        byte[] bytes = "INVALID_TOKEN".getBytes(Charsets.UTF_8);
        Intrinsics.checkNotNullExpressionValue(bytes, "getBytes(...)");
        this.currentToken = bytes;
        NumericDate now = NumericDate.now();
        Intrinsics.checkNotNullExpressionValue(now, "now(...)");
        this.renewalTime = now;
        this.renewalThreshold = this.config.getDapsTokenRenewalThreshold();
        this.renewalLock = new ReentrantLock(true);
        try {
            SSLContext sSLContext = SSLContext.getInstance("TLS");
            sSLContext.init(null, new TrustManager[]{this.config.getTrustManager()}, null);
            Intrinsics.checkNotNull(sSLContext);
            this.sslContext = sSLContext;
            Map<TrustManager, HttpClient> map = HTTP_CLIENTS;
            TrustManager trustManager = this.config.getTrustManager();
            Function1<TrustManager, HttpClient> function1 = new Function1<TrustManager, HttpClient>() { // from class: de.fhg.aisec.ids.idscp2.daps.aisecdaps.AisecDapsDriver$httpClient$1
                /* JADX INFO: Access modifiers changed from: package-private */
                {
                    super(1);
                }

                public final HttpClient invoke(TrustManager trustManager2) {
                    HttpClientEngineFactory httpClientEngineFactory = Java.INSTANCE;
                    final AisecDapsDriver aisecDapsDriver = AisecDapsDriver.this;
                    return HttpClientKt.HttpClient(httpClientEngineFactory, new Function1<HttpClientConfig<JavaHttpConfig>, Unit>() { // from class: de.fhg.aisec.ids.idscp2.daps.aisecdaps.AisecDapsDriver$httpClient$1.1
                        {
                            super(1);
                        }

                        public final void invoke(@NotNull HttpClientConfig<JavaHttpConfig> httpClientConfig) {
                            Intrinsics.checkNotNullParameter(httpClientConfig, "$this$HttpClient");
                            final AisecDapsDriver aisecDapsDriver2 = AisecDapsDriver.this;
                            httpClientConfig.engine(new Function1<JavaHttpConfig, Unit>() { // from class: de.fhg.aisec.ids.idscp2.daps.aisecdaps.AisecDapsDriver.httpClient.1.1.1
                                {
                                    super(1);
                                }

                                public final void invoke(@NotNull JavaHttpConfig javaHttpConfig) {
                                    Intrinsics.checkNotNullParameter(javaHttpConfig, "$this$engine");
                                    final AisecDapsDriver aisecDapsDriver3 = AisecDapsDriver.this;
                                    javaHttpConfig.config(new Function1<HttpClient.Builder, Unit>() { // from class: de.fhg.aisec.ids.idscp2.daps.aisecdaps.AisecDapsDriver.httpClient.1.1.1.1
                                        {
                                            super(1);
                                        }

                                        public final void invoke(@NotNull HttpClient.Builder builder) {
                                            SSLContext sSLContext2;
                                            Intrinsics.checkNotNullParameter(builder, "$this$config");
                                            sSLContext2 = AisecDapsDriver.this.sslContext;
                                            builder.sslContext(sSLContext2);
                                        }

                                        public /* bridge */ /* synthetic */ Object invoke(Object obj) {
                                            invoke((HttpClient.Builder) obj);
                                            return Unit.INSTANCE;
                                        }
                                    });
                                }

                                public /* bridge */ /* synthetic */ Object invoke(Object obj) {
                                    invoke((JavaHttpConfig) obj);
                                    return Unit.INSTANCE;
                                }
                            });
                            HttpClientConfig.install$default(httpClientConfig, HttpCache.Companion, (Function1) null, 2, (Object) null);
                            httpClientConfig.install(ContentNegotiation.Plugin, new Function1<ContentNegotiation.Config, Unit>() { // from class: de.fhg.aisec.ids.idscp2.daps.aisecdaps.AisecDapsDriver.httpClient.1.1.2
                                public final void invoke(@NotNull ContentNegotiation.Config config) {
                                    Intrinsics.checkNotNullParameter(config, "$this$install");
                                    JacksonConverterKt.jackson$default((Configuration) config, (ContentType) null, false, (Function1) null, 7, (Object) null);
                                }

                                public /* bridge */ /* synthetic */ Object invoke(Object obj) {
                                    invoke((ContentNegotiation.Config) obj);
                                    return Unit.INSTANCE;
                                }
                            });
                            httpClientConfig.install(HttpRequestRetry.Plugin, new Function1<HttpRequestRetry.Configuration, Unit>() { // from class: de.fhg.aisec.ids.idscp2.daps.aisecdaps.AisecDapsDriver.httpClient.1.1.3
                                public final void invoke(@NotNull HttpRequestRetry.Configuration configuration) {
                                    Intrinsics.checkNotNullParameter(configuration, "$this$install");
                                    configuration.retryOnServerErrors(3);
                                    configuration.retryOnExceptionIf(3, new Function3<HttpRequestRetry.ShouldRetryContext, HttpRequestBuilder, Throwable, Boolean>() { // from class: de.fhg.aisec.ids.idscp2.daps.aisecdaps.AisecDapsDriver.httpClient.1.1.3.1
                                        @NotNull
                                        public final Boolean invoke(@NotNull HttpRequestRetry.ShouldRetryContext shouldRetryContext, @NotNull HttpRequestBuilder httpRequestBuilder, @NotNull Throwable th) {
                                            Intrinsics.checkNotNullParameter(shouldRetryContext, "$this$retryOnExceptionIf");
                                            Intrinsics.checkNotNullParameter(httpRequestBuilder, "<anonymous parameter 0>");
                                            Intrinsics.checkNotNullParameter(th, "<anonymous parameter 1>");
                                            return true;
                                        }
                                    });
                                    HttpRequestRetry.Configuration.exponentialDelay$default(configuration, 0.0d, 0L, 0L, false, 15, (Object) null);
                                }

                                public /* bridge */ /* synthetic */ Object invoke(Object obj) {
                                    invoke((HttpRequestRetry.Configuration) obj);
                                    return Unit.INSTANCE;
                                }
                            });
                            httpClientConfig.install(HttpTimeout.Plugin, new Function1<HttpTimeout.HttpTimeoutCapabilityConfiguration, Unit>() { // from class: de.fhg.aisec.ids.idscp2.daps.aisecdaps.AisecDapsDriver.httpClient.1.1.4
                                public final void invoke(@NotNull HttpTimeout.HttpTimeoutCapabilityConfiguration httpTimeoutCapabilityConfiguration) {
                                    Intrinsics.checkNotNullParameter(httpTimeoutCapabilityConfiguration, "$this$install");
                                    httpTimeoutCapabilityConfiguration.setRequestTimeoutMillis(1500L);
                                }

                                public /* bridge */ /* synthetic */ Object invoke(Object obj) {
                                    invoke((HttpTimeout.HttpTimeoutCapabilityConfiguration) obj);
                                    return Unit.INSTANCE;
                                }
                            });
                        }

                        public /* bridge */ /* synthetic */ Object invoke(Object obj) {
                            invoke((HttpClientConfig<JavaHttpConfig>) obj);
                            return Unit.INSTANCE;
                        }
                    });
                }
            };
            this.httpClient = map.computeIfAbsent(trustManager, (v1) -> {
                return httpClient$lambda$1(r3, v1);
            });
        } catch (KeyManagementException e) {
            LOG.error("Cannot init AisecDapsDriver", e);
            throw new RuntimeException(e);
        } catch (NoSuchAlgorithmException e2) {
            LOG.error("Cannot init AisecDapsDriver", e2);
            throw new RuntimeException(e2);
        }
    }

    public float getRenewalThreshold() {
        return this.renewalThreshold;
    }

    private final String extractConnectorUUID(X509Certificate x509Certificate) {
        byte[] keyIdentifier = AuthorityKeyIdentifier.getInstance(ASN1OctetString.getInstance(x509Certificate.getExtensionValue(Extension.authorityKeyIdentifier.getId())).getOctets()).getKeyIdentifier();
        Intrinsics.checkNotNull(keyIdentifier);
        String upperCase = FingerprintUtilsKt.toHexString(keyIdentifier, ":").toUpperCase(Locale.ROOT);
        Intrinsics.checkNotNullExpressionValue(upperCase, "toUpperCase(...)");
        byte[] keyIdentifier2 = SubjectKeyIdentifier.getInstance(ASN1OctetString.getInstance(x509Certificate.getExtensionValue(Extension.subjectKeyIdentifier.getId())).getOctets()).getKeyIdentifier();
        Intrinsics.checkNotNull(keyIdentifier2);
        String upperCase2 = FingerprintUtilsKt.toHexString(keyIdentifier2, ":").toUpperCase(Locale.ROOT);
        Intrinsics.checkNotNullExpressionValue(upperCase2, "toUpperCase(...)");
        if (LOG.isDebugEnabled()) {
            LOG.debug("AKI: " + upperCase);
            LOG.debug("SKI: " + upperCase2);
        }
        return upperCase2 + ":keyid:" + upperCase;
    }

    private final DapsMeta getDapsMeta() {
        DapsMeta dapsMeta;
        if (this.dapsMetaExpire <= System.currentTimeMillis() || (dapsMeta = this.dapsMeta) == null) {
            return (DapsMeta) BuildersKt.runBlocking(Dispatchers.getIO(), new AisecDapsDriver$getDapsMeta$2(this, URI.create(this.dapsUrl), null));
        }
        if (LOG.isDebugEnabled()) {
            LOG.debug("Reusing DAPS meta, remaining validity: {} seconds", Long.valueOf((this.dapsMetaExpire - System.currentTimeMillis()) / 1000));
        }
        return dapsMeta;
    }

    @NotNull
    public byte[] getToken() {
        ReentrantLock reentrantLock = this.renewalLock;
        reentrantLock.lock();
        try {
            try {
                if (NumericDate.now().isBefore(this.renewalTime)) {
                    if (LOG.isDebugEnabled()) {
                        Logger logger = LOG;
                        byte[] bArr = this.currentToken;
                        Charset charset = StandardCharsets.UTF_8;
                        Intrinsics.checkNotNullExpressionValue(charset, "UTF_8");
                        logger.debug("Issue cached DAT: {}", new String(bArr, charset));
                    }
                    byte[] bArr2 = this.currentToken;
                    reentrantLock.unlock();
                    return bArr2;
                }
                if (LOG.isInfoEnabled()) {
                    LOG.info("Retrieving Dynamic Attribute Token from DAPS ...");
                }
                if (LOG.isDebugEnabled()) {
                    LOG.debug("ConnectorUUID: " + this.connectorUUID);
                }
                DapsMeta dapsMeta = getDapsMeta();
                Date from = Date.from(Instant.now().plusSeconds(86400L));
                Date from2 = Date.from(Instant.now());
                Date from3 = Date.from(Instant.now());
                byte[] bArr3 = (byte[]) BuildersKt.runBlocking(Dispatchers.getIO(), new AisecDapsDriver$token$1$1(this, dapsMeta, from, from2, from3, ((JwtBuilder) Jwts.builder().issuer(this.connectorUUID).subject(this.connectorUUID).claim("@context", "https://w3id.org/idsa/contexts/context.jsonld").claim("@type", "ids:DatRequestToken").expiration(from).issuedAt(from2).notBefore(from3).audience().add(dapsMeta.getTokenEndpoint()).and()).signWith(this.privateKey).compact(), null));
                reentrantLock.unlock();
                return bArr3;
            } catch (Throwable th) {
                if (th instanceof DatException) {
                    throw th;
                }
                throw new DatException("Error whilst retrieving DAT", th);
            }
        } catch (Throwable th2) {
            reentrantLock.unlock();
            throw th2;
        }
    }

    @NotNull
    public VerifiedDat verifyToken(@NotNull byte[] bArr, @NotNull String str) {
        Intrinsics.checkNotNullParameter(bArr, "dat");
        Intrinsics.checkNotNullParameter(str, "peerCertificateFingerprint");
        return innerVerifyToken$default(this, bArr, this.securityRequirements, str, false, null, 16, null);
    }

    /* JADX INFO: Access modifiers changed from: private */
    public final VerifiedDat innerVerifyToken(byte[] bArr, SecurityRequirements securityRequirements, String str, boolean z, DapsMeta dapsMeta) {
        List listOf;
        if (LOG.isDebugEnabled()) {
            LOG.debug("Verifying dynamic attribute token...");
        }
        HttpsJwks httpsJwks = new HttpsJwks(dapsMeta.getJwksUri());
        httpsJwks.setSimpleHttpGet((v1) -> {
            return innerVerifyToken$lambda$5$lambda$4(r1, v1);
        });
        JwtConsumer build = new JwtConsumerBuilder().setRequireExpirationTime().setAllowedClockSkewInSeconds(30).setRequireSubject().setExpectedAudience(true, new String[]{"IDS_Connector", TARGET_AUDIENCE}).setExpectedIssuer(dapsMeta.getIssuer()).setVerificationKeyResolver(new HttpsJwksVerificationKeyResolver(httpsJwks)).setJweAlgorithmConstraints(new AlgorithmConstraints(AlgorithmConstraints.ConstraintType.PERMIT, new String[]{"RS256"})).build();
        try {
            Charset charset = StandardCharsets.UTF_8;
            Intrinsics.checkNotNullExpressionValue(charset, "UTF_8");
            JwtClaims processToClaims = build.processToClaims(new String(bArr, charset));
            Intrinsics.checkNotNullExpressionValue(processToClaims, "processToClaims(...)");
            String subject = processToClaims.getSubject();
            Intrinsics.checkNotNullExpressionValue(subject, "getSubject(...)");
            VerifiedDat verifiedDat = new VerifiedDat(bArr, subject, processToClaims.getExpirationTime().getValue());
            long value = processToClaims.getExpirationTime().getValue() - (System.currentTimeMillis() / 1000);
            if (z) {
                this.currentToken = bArr;
                NumericDate now = NumericDate.now();
                now.addSeconds(verifiedDat.remainingValidity(getRenewalThreshold()));
                Intrinsics.checkNotNullExpressionValue(now, "apply(...)");
                this.renewalTime = now;
            }
            if (str != null) {
                if (LOG.isDebugEnabled()) {
                    LOG.debug("Validate peer certificate fingerprint against expected fingerprint from DAT");
                }
                if (processToClaims.isClaimValueStringList("transportCertsSha256")) {
                    List stringListClaimValue = processToClaims.getStringListClaimValue("transportCertsSha256");
                    Intrinsics.checkNotNull(stringListClaimValue);
                    listOf = stringListClaimValue;
                } else {
                    if (!processToClaims.isClaimValueString("transportCertsSha256")) {
                        throw new DatException("Missing or invalid 'transportCertsSha256' format in DAT");
                    }
                    listOf = CollectionsKt.listOf(processToClaims.getStringClaimValue("transportCertsSha256"));
                }
                List list = listOf;
                if (!list.contains(str)) {
                    throw new DatException("Fingerprint of peer certificate (" + str + ") does not match any fingerprint from DAT (" + list + ").");
                }
            }
            if (securityRequirements != null) {
                if (LOG.isDebugEnabled()) {
                    LOG.debug("Validate security attributes");
                }
                String stringClaimValue = processToClaims.getStringClaimValue("securityProfile");
                if (stringClaimValue == null) {
                    throw new DatException("DAT does not contain securityProfile");
                }
                SecurityProfile fromString = SecurityProfile.Companion.fromString(stringClaimValue);
                if (fromString.compareTo(securityRequirements.getRequiredSecurityLevel()) < 0) {
                    throw new DatException("Peer does not support any valid trust profile: Required: " + securityRequirements.getRequiredSecurityLevel() + " given: " + fromString);
                }
                if (LOG.isDebugEnabled()) {
                    LOG.debug("Peer's supported security profile: {}", fromString);
                }
            }
            if (LOG.isDebugEnabled()) {
                LOG.debug("DAT is valid for {} seconds", Long.valueOf(value));
            }
            return verifiedDat;
        } catch (Exception e) {
            throw new DatException("Error during DAT verification", e);
        }
    }

    static /* synthetic */ VerifiedDat innerVerifyToken$default(AisecDapsDriver aisecDapsDriver, byte[] bArr, SecurityRequirements securityRequirements, String str, boolean z, DapsMeta dapsMeta, int i, Object obj) {
        if ((i & 16) != 0) {
            dapsMeta = aisecDapsDriver.getDapsMeta();
        }
        return aisecDapsDriver.innerVerifyToken(bArr, securityRequirements, str, z, dapsMeta);
    }

    private static final io.ktor.client.HttpClient httpClient$lambda$1(Function1 function1, Object obj) {
        Intrinsics.checkNotNullParameter(function1, "$tmp0");
        return (io.ktor.client.HttpClient) function1.invoke(obj);
    }

    private static final SimpleResponse innerVerifyToken$lambda$5$lambda$4(final AisecDapsDriver aisecDapsDriver, final String str) {
        Intrinsics.checkNotNullParameter(aisecDapsDriver, "this$0");
        return new SimpleResponse(aisecDapsDriver, str) { // from class: de.fhg.aisec.ids.idscp2.daps.aisecdaps.AisecDapsDriver$innerVerifyToken$httpsJwks$1$1$1

            @NotNull
            private final Triple<HttpStatusCode, Headers, String> response;

            /* JADX INFO: Access modifiers changed from: package-private */
            {
                this.response = (Triple) BuildersKt.runBlocking(Dispatchers.getIO(), new AisecDapsDriver$innerVerifyToken$httpsJwks$1$1$1$response$1(aisecDapsDriver, str, null));
            }

            @NotNull
            public final Triple<HttpStatusCode, Headers, String> getResponse() {
                return this.response;
            }

            public int getStatusCode() {
                return ((HttpStatusCode) this.response.getFirst()).getValue();
            }

            @NotNull
            public String getStatusMessage() {
                return ((HttpStatusCode) this.response.getFirst()).getDescription();
            }

            @NotNull
            /* renamed from: getHeaderNames, reason: merged with bridge method [inline-methods] */
            public Set<String> m5getHeaderNames() {
                return ((Headers) this.response.getSecond()).names();
            }

            @Nullable
            public List<String> getHeaderValues(@NotNull String str2) {
                Intrinsics.checkNotNullParameter(str2, "name");
                return ((Headers) this.response.getSecond()).getAll(str2);
            }

            @NotNull
            public String getBody() {
                return (String) this.response.getThird();
            }
        };
    }
}
