package de.gematik.idp.authentication;

import de.gematik.idp.brainPoolExtension.BrainpoolAlgorithmSuiteIdentifiers;
import de.gematik.idp.exceptions.ChallengeExpiredException;
import de.gematik.idp.exceptions.ChallengeSignatureInvalidException;
import de.gematik.idp.exceptions.IdpJoseException;
import de.gematik.idp.exceptions.NoNestedJwtFoundException;
import de.gematik.idp.field.ClaimName;
import de.gematik.idp.token.JsonWebToken;
import java.security.PublicKey;
import java.security.cert.X509Certificate;
import java.time.ZonedDateTime;
import java.util.Map;
import java.util.Optional;
import lombok.Generated;
import org.jose4j.jwa.AlgorithmConstraints;
import org.jose4j.jwt.consumer.JwtConsumerBuilder;

/* loaded from: input_file:de/gematik/idp/authentication/AuthenticationChallengeVerifier.class */
public class AuthenticationChallengeVerifier {
    private PublicKey serverPublicKey;

    @Generated
    /* loaded from: input_file:de/gematik/idp/authentication/AuthenticationChallengeVerifier$AuthenticationChallengeVerifierBuilder.class */
    public static class AuthenticationChallengeVerifierBuilder {

        @Generated
        private PublicKey serverPublicKey;

        @Generated
        AuthenticationChallengeVerifierBuilder() {
        }

        @Generated
        public AuthenticationChallengeVerifierBuilder serverPublicKey(PublicKey publicKey) {
            this.serverPublicKey = publicKey;
            return this;
        }

        @Generated
        public AuthenticationChallengeVerifier build() {
            return new AuthenticationChallengeVerifier(this.serverPublicKey);
        }

        @Generated
        public String toString() {
            return "AuthenticationChallengeVerifier.AuthenticationChallengeVerifierBuilder(serverPublicKey=" + this.serverPublicKey + ")";
        }
    }

    public void verifyResponseAndThrowExceptionIfFail(JsonWebToken jsonWebToken) {
        performClientSignatureValidation(extractClientCertificateFromChallenge(jsonWebToken).orElseThrow(() -> {
            return new IdpJoseException("Could not extract client certificate from challenge response header");
        }), jsonWebToken.getRawString());
        performServerSignatureValidationOfNjwt(jsonWebToken);
    }

    public void verifyResponseWithCertAndThrowExceptionIfFail(X509Certificate x509Certificate, JsonWebToken jsonWebToken) {
        performClientSignatureValidation(x509Certificate, jsonWebToken.getRawString());
    }

    private void performClientSignatureValidation(X509Certificate x509Certificate, String str) {
        try {
            new JwtConsumerBuilder().setVerificationKey(x509Certificate.getPublicKey()).setSkipDefaultAudienceValidation().setJwsAlgorithmConstraints(new AlgorithmConstraints(AlgorithmConstraints.ConstraintType.PERMIT, new String[]{"PS256", BrainpoolAlgorithmSuiteIdentifiers.BRAINPOOL256_USING_SHA256})).build().process(str);
        } catch (Exception e) {
            throw new ChallengeSignatureInvalidException(e);
        }
    }

    private void performServerSignatureValidationOfNjwt(JsonWebToken jsonWebToken) {
        JsonWebToken jsonWebToken2 = (JsonWebToken) jsonWebToken.getBodyClaim(ClaimName.NESTED_JWT).map(obj -> {
            return new JsonWebToken(obj.toString());
        }).orElseThrow(NoNestedJwtFoundException::new);
        if (jsonWebToken2.getExpiresAt().isBefore(ZonedDateTime.now()) || jsonWebToken2.getExpiresAtBody().isBefore(ZonedDateTime.now())) {
            throw new ChallengeExpiredException();
        }
        try {
            jsonWebToken2.verify(this.serverPublicKey);
        } catch (Exception e) {
            throw new ChallengeSignatureInvalidException();
        }
    }

    public Optional<X509Certificate> extractClientCertificateFromChallenge(JsonWebToken jsonWebToken) {
        return jsonWebToken.getClientCertificateFromHeader();
    }

    public Map<String, Object> extractClaimsFromSignedChallenge(AuthenticationResponse authenticationResponse) {
        return authenticationResponse.getSignedChallenge().getBodyClaims();
    }

    @Generated
    public static AuthenticationChallengeVerifierBuilder builder() {
        return new AuthenticationChallengeVerifierBuilder();
    }

    @Generated
    public PublicKey getServerPublicKey() {
        return this.serverPublicKey;
    }

    @Generated
    public void setServerPublicKey(PublicKey publicKey) {
        this.serverPublicKey = publicKey;
    }

    @Generated
    public boolean equals(Object obj) {
        if (obj == this) {
            return true;
        }
        if (!(obj instanceof AuthenticationChallengeVerifier)) {
            return false;
        }
        AuthenticationChallengeVerifier authenticationChallengeVerifier = (AuthenticationChallengeVerifier) obj;
        if (!authenticationChallengeVerifier.canEqual(this)) {
            return false;
        }
        PublicKey serverPublicKey = getServerPublicKey();
        PublicKey serverPublicKey2 = authenticationChallengeVerifier.getServerPublicKey();
        return serverPublicKey == null ? serverPublicKey2 == null : serverPublicKey.equals(serverPublicKey2);
    }

    @Generated
    protected boolean canEqual(Object obj) {
        return obj instanceof AuthenticationChallengeVerifier;
    }

    @Generated
    public int hashCode() {
        PublicKey serverPublicKey = getServerPublicKey();
        return (1 * 59) + (serverPublicKey == null ? 43 : serverPublicKey.hashCode());
    }

    @Generated
    public String toString() {
        return "AuthenticationChallengeVerifier(serverPublicKey=" + getServerPublicKey() + ")";
    }

    @Generated
    public AuthenticationChallengeVerifier(PublicKey publicKey) {
        this.serverPublicKey = publicKey;
    }
}
