package de.gematik.idp.authentication;

import de.gematik.idp.brainPoolExtension.BrainpoolAlgorithmSuiteIdentifiers;
import de.gematik.idp.crypto.exceptions.IdpCryptoException;
import de.gematik.idp.crypto.model.PkiIdentity;
import de.gematik.idp.exceptions.IdpJoseException;
import de.gematik.idp.field.ClaimName;
import de.gematik.idp.token.JsonWebToken;
import java.security.PrivateKey;
import java.security.cert.X509Certificate;
import java.security.interfaces.ECPublicKey;
import java.security.interfaces.RSAPublicKey;
import java.util.Map;
import java.util.Objects;
import java.util.Optional;
import lombok.NonNull;
import org.bouncycastle.jce.spec.ECNamedCurveSpec;
import org.jose4j.jws.JsonWebSignature;
import org.jose4j.lang.JoseException;

/* loaded from: input_file:de/gematik/idp/authentication/IdpJwtProcessor.class */
public class IdpJwtProcessor {
    private final X509Certificate certificate;
    private final String algorithm;
    private Optional<String> keyId;
    private PrivateKey privateKey;

    public IdpJwtProcessor(@NonNull PkiIdentity pkiIdentity, Optional<String> optional) {
        this(pkiIdentity.getCertificate());
        if (pkiIdentity == null) {
            throw new NullPointerException("identity is marked non-null but is null");
        }
        this.privateKey = pkiIdentity.getPrivateKey();
        this.keyId = optional;
    }

    public IdpJwtProcessor(@NonNull PkiIdentity pkiIdentity) {
        this(pkiIdentity.getCertificate());
        if (pkiIdentity == null) {
            throw new NullPointerException("identity is marked non-null but is null");
        }
        this.privateKey = pkiIdentity.getPrivateKey();
        this.keyId = Optional.empty();
    }

    public IdpJwtProcessor(@NonNull X509Certificate x509Certificate) {
        if (x509Certificate == null) {
            throw new NullPointerException("certificate is marked non-null but is null");
        }
        this.certificate = x509Certificate;
        if (!(x509Certificate.getPublicKey() instanceof ECPublicKey)) {
            if (!(x509Certificate.getPublicKey() instanceof RSAPublicKey)) {
                throw new IdpCryptoException("Could not identify Public-Key: " + x509Certificate.getPublicKey().getClass().toString());
            }
            this.algorithm = "PS256";
        } else if ((((ECPublicKey) x509Certificate.getPublicKey()).getParams() instanceof ECNamedCurveSpec) && ((ECPublicKey) x509Certificate.getPublicKey()).getParams().getName().equals("prime256v1")) {
            this.algorithm = "ES256";
        } else {
            this.algorithm = BrainpoolAlgorithmSuiteIdentifiers.BRAINPOOL256_USING_SHA256;
        }
    }

    public JsonWebToken buildJwt(@NonNull JwtBuilder jwtBuilder) {
        Objects.requireNonNull(this.privateKey, "No private key supplied, cancelling JWT signing");
        Objects.requireNonNull(jwtBuilder, "No Descriptor supplied, cancelling JWT signing");
        this.keyId.ifPresent(str -> {
            jwtBuilder.addHeaderClaim(ClaimName.KEY_ID, str);
        });
        return jwtBuilder.setSignerKey(this.privateKey).setCertificate(this.certificate).buildJwt();
    }

    public JsonWebToken buildJws(@NonNull String str, @NonNull Map<String, Object> map, boolean z) {
        if (str == null) {
            throw new NullPointerException("payload is marked non-null but is null");
        }
        if (map == null) {
            throw new NullPointerException("headerClaims is marked non-null but is null");
        }
        JsonWebSignature jsonWebSignature = new JsonWebSignature();
        jsonWebSignature.setPayload(str);
        jsonWebSignature.setKey(this.privateKey);
        jsonWebSignature.setAlgorithmHeaderValue(this.algorithm);
        map.keySet().forEach(str2 -> {
            jsonWebSignature.setHeader(str2, map.get(str2));
        });
        this.keyId.ifPresent(str3 -> {
            jsonWebSignature.setHeader(ClaimName.KEY_ID.getJoseName(), str3);
        });
        if (z) {
            jsonWebSignature.setCertificateChainHeaderValue(new X509Certificate[]{this.certificate});
        }
        try {
            return new JsonWebToken(jsonWebSignature.getCompactSerialization());
        } catch (JoseException e) {
            throw new IdpJoseException((Exception) e);
        }
    }

    public void verifyAndThrowExceptionIfFail(@NonNull JsonWebToken jsonWebToken) {
        if (jsonWebToken == null) {
            throw new NullPointerException("jwt is marked non-null but is null");
        }
        jsonWebToken.verify(this.certificate.getPublicKey());
    }

    public static String getHeaderDecoded(@NonNull JsonWebToken jsonWebToken) {
        if (jsonWebToken == null) {
            throw new NullPointerException("jwt is marked non-null but is null");
        }
        return jsonWebToken.getHeaderDecoded();
    }

    public static String getPayloadDecoded(@NonNull JsonWebToken jsonWebToken) {
        if (jsonWebToken == null) {
            throw new NullPointerException("jwt is marked non-null but is null");
        }
        return jsonWebToken.getPayloadDecoded();
    }
}
