package de.gematik.idp.authentication;

import de.gematik.idp.brainPoolExtension.BrainpoolAlgorithmSuiteIdentifiers;
import de.gematik.idp.crypto.exceptions.IdpCryptoException;
import de.gematik.idp.crypto.model.PkiIdentity;
import de.gematik.idp.exceptions.IdpJoseException;
import de.gematik.idp.field.ClaimName;
import de.gematik.idp.token.JsonWebToken;
import java.security.Key;
import java.security.cert.X509Certificate;
import java.security.interfaces.ECPrivateKey;
import java.security.interfaces.RSAPrivateKey;
import java.time.ZonedDateTime;
import java.util.HashMap;
import java.util.Map;
import java.util.Objects;
import lombok.Generated;
import org.bouncycastle.jce.spec.ECNamedCurveSpec;
import org.jose4j.jws.JsonWebSignature;
import org.jose4j.jwt.JwtClaims;
import org.jose4j.jwt.NumericDate;
import org.jose4j.lang.JoseException;

/* loaded from: input_file:de/gematik/idp/authentication/JwtBuilder.class */
public class JwtBuilder {
    private final Map<String, Object> headerClaims;
    private final Map<String, Object> bodyClaims;
    private Key signerKey;
    private X509Certificate certificate;
    private boolean includeSignerCertificateInHeader;

    public JwtBuilder replaceAllBodyClaims(Map<String, Object> map) {
        this.bodyClaims.clear();
        this.bodyClaims.putAll(map);
        return this;
    }

    public JwtBuilder addAllBodyClaims(Map<String, Object> map) {
        this.bodyClaims.putAll(map);
        return this;
    }

    public JwtBuilder replaceAllHeaderClaims(Map<String, Object> map) {
        this.headerClaims.clear();
        this.headerClaims.putAll(map);
        return this;
    }

    public JwtBuilder addAllHeaderClaims(Map<String, Object> map) {
        this.headerClaims.putAll(map);
        return this;
    }

    public JwtBuilder addHeaderClaim(ClaimName claimName, Object obj) {
        this.headerClaims.put(claimName.getJoseName(), obj);
        return this;
    }

    public JwtBuilder addBodyClaim(ClaimName claimName, Object obj) {
        this.bodyClaims.put(claimName.getJoseName(), obj);
        return this;
    }

    public JwtBuilder expiresAt(ZonedDateTime zonedDateTime) {
        this.bodyClaims.put(ClaimName.EXPIRES_AT.getJoseName(), Long.valueOf(NumericDate.fromSeconds(zonedDateTime.toEpochSecond()).getValue()));
        return this;
    }

    public JwtBuilder setSignerKey(Key key) {
        this.signerKey = key;
        return this;
    }

    public JwtBuilder setCertificate(X509Certificate x509Certificate) {
        this.certificate = x509Certificate;
        return this;
    }

    public JwtBuilder setIdentity(PkiIdentity pkiIdentity) {
        this.certificate = pkiIdentity.getCertificate();
        this.signerKey = pkiIdentity.getPrivateKey();
        return this;
    }

    public JsonWebToken buildJwt() {
        Objects.requireNonNull(this.signerKey, "No private key supplied, cancelling JWT signing");
        JwtClaims jwtClaims = new JwtClaims();
        Map<String, Object> map = this.bodyClaims;
        Objects.requireNonNull(jwtClaims);
        map.forEach(jwtClaims::setClaim);
        JsonWebSignature jsonWebSignature = new JsonWebSignature();
        jsonWebSignature.setPayload(jwtClaims.toJson());
        jsonWebSignature.setKey(this.signerKey);
        jsonWebSignature.setAlgorithmHeaderValue(determineAlgorithm());
        this.headerClaims.keySet().forEach(str -> {
            jsonWebSignature.setHeader(str, this.headerClaims.get(str));
        });
        if (this.includeSignerCertificateInHeader) {
            if (this.certificate == null) {
                throw new IdpJoseException("Could not include x5c-header: certificate not set");
            }
            jsonWebSignature.setCertificateChainHeaderValue(new X509Certificate[]{this.certificate});
        }
        try {
            return new JsonWebToken(jsonWebSignature.getCompactSerialization());
        } catch (JoseException e) {
            throw new IdpJoseException((Exception) e);
        }
    }

    private String determineAlgorithm() {
        Key key = this.signerKey;
        if (key instanceof ECPrivateKey) {
            ECNamedCurveSpec params = ((ECPrivateKey) key).getParams();
            return ((params instanceof ECNamedCurveSpec) && params.getName().equals("prime256v1")) ? "ES256" : BrainpoolAlgorithmSuiteIdentifiers.BRAINPOOL256_USING_SHA256;
        }
        if (this.signerKey instanceof RSAPrivateKey) {
            return "PS256";
        }
        throw new IdpCryptoException("Could not identify Signer-Key: " + this.signerKey.getClass());
    }

    public Map<String, Object> getClaims() {
        return this.bodyClaims;
    }

    public JwtBuilder includeSignerCertificateInHeader(boolean z) {
        this.includeSignerCertificateInHeader = z;
        return this;
    }

    @Generated
    public JwtBuilder() {
        this.headerClaims = new HashMap();
        this.bodyClaims = new HashMap();
        this.includeSignerCertificateInHeader = false;
    }

    @Generated
    public JwtBuilder(Key key, X509Certificate x509Certificate, boolean z) {
        this.headerClaims = new HashMap();
        this.bodyClaims = new HashMap();
        this.includeSignerCertificateInHeader = false;
        this.signerKey = key;
        this.certificate = x509Certificate;
        this.includeSignerCertificateInHeader = z;
    }
}
