package at.gv.egiz.eaaf.modules.auth.sl20.utils;

import at.gv.egiz.eaaf.core.exception.EaafKeyUsageException;
import at.gv.egiz.eaaf.core.exceptions.EaafException;
import at.gv.egiz.eaaf.core.impl.credential.EaafKeyStoreUtils;
import at.gv.egiz.eaaf.core.impl.data.Pair;
import at.gv.egiz.eaaf.core.impl.utils.X509Utils;
import java.io.IOException;
import java.security.Key;
import java.security.KeyStore;
import java.security.Provider;
import java.security.cert.CertificateEncodingException;
import java.security.cert.X509Certificate;
import java.security.interfaces.ECPrivateKey;
import java.security.interfaces.RSAPrivateKey;
import java.util.Collections;
import java.util.List;
import java.util.Map;
import javax.annotation.Nonnull;
import lombok.Generated;
import org.apache.commons.lang3.StringUtils;
import org.jose4j.jca.ProviderContext;
import org.jose4j.jwa.AlgorithmConstraints;
import org.jose4j.jws.JsonWebSignature;
import org.jose4j.jwx.Headers;
import org.jose4j.keys.resolvers.X509VerificationKeyResolver;
import org.jose4j.lang.JoseException;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.util.Base64Utils;

/* loaded from: input_file:at/gv/egiz/eaaf/modules/auth/sl20/utils/JoseUtils.class */
public class JoseUtils {

    @Generated
    private static final Logger log = LoggerFactory.getLogger(JoseUtils.class);

    /* loaded from: input_file:at/gv/egiz/eaaf/modules/auth/sl20/utils/JoseUtils$JwsResult.class */
    public static class JwsResult {
        final boolean valid;
        final String payLoad;
        final Headers fullJoseHeader;
        final List<X509Certificate> x5cCerts;

        @Generated
        public boolean isValid() {
            return this.valid;
        }

        @Generated
        public String getPayLoad() {
            return this.payLoad;
        }

        @Generated
        public Headers getFullJoseHeader() {
            return this.fullJoseHeader;
        }

        @Generated
        public List<X509Certificate> getX5cCerts() {
            return this.x5cCerts;
        }

        @Generated
        public JwsResult(boolean z, String str, Headers headers, List<X509Certificate> list) {
            this.valid = z;
            this.payLoad = str;
            this.fullJoseHeader = headers;
            this.x5cCerts = list;
        }
    }

    public static String createSignature(@Nonnull Pair<KeyStore, Provider> pair, @Nonnull String str, @Nonnull char[] cArr, @Nonnull String str2, boolean z, @Nonnull String str3) throws EaafException, JoseException {
        return createSignature(pair, str, cArr, str2, z, Collections.emptyMap(), SL20Constants.JSON_ALGORITHM_SIGNING_PS256, SL20Constants.JSON_ALGORITHM_SIGNING_ES256, str3);
    }

    public static String createSignature(@Nonnull Pair<KeyStore, Provider> pair, @Nonnull String str, @Nonnull char[] cArr, @Nonnull String str2, boolean z, @Nonnull Map<String, String> map, @Nonnull String str3) throws EaafException, JoseException {
        return createSignature(pair, str, cArr, str2, z, map, SL20Constants.JSON_ALGORITHM_SIGNING_PS256, SL20Constants.JSON_ALGORITHM_SIGNING_ES256, str3);
    }

    public static String createSignature(@Nonnull Pair<KeyStore, Provider> pair, @Nonnull String str, @Nonnull char[] cArr, @Nonnull String str2, boolean z, @Nonnull Map<String, String> map, @Nonnull String str3, @Nonnull String str4, @Nonnull String str5) throws EaafException, JoseException {
        JsonWebSignature jsonWebSignature = new JsonWebSignature();
        jsonWebSignature.setPayload(str2);
        for (Map.Entry<String, String> entry : map.entrySet()) {
            log.trace("Set JOSE header: {} with value: {} into JWS", entry.getKey(), entry.getValue());
            jsonWebSignature.setHeader(entry.getKey(), entry.getValue());
        }
        Pair privateKeyAndCertificates = EaafKeyStoreUtils.getPrivateKeyAndCertificates((KeyStore) pair.getFirst(), str, cArr, true, str5);
        jsonWebSignature.setKey((Key) privateKeyAndCertificates.getFirst());
        jsonWebSignature.setAlgorithmHeaderValue(getKeyOperationAlgorithmFromCredential(jsonWebSignature.getKey(), str3, str4, str5));
        if (pair.getSecond() != null) {
            log.trace("Injecting special Java Security Provider: {}", ((Provider) pair.getSecond()).getName());
            ProviderContext providerContext = new ProviderContext();
            providerContext.getSuppliedKeyProviderContext().setSignatureProvider(((Provider) pair.getSecond()).getName());
            jsonWebSignature.setProviderContext(providerContext);
        }
        if (z) {
            jsonWebSignature.setCertificateChainHeaderValue((X509Certificate[]) privateKeyAndCertificates.getSecond());
        }
        jsonWebSignature.setX509CertSha256ThumbprintHeaderValue(((X509Certificate[]) privateKeyAndCertificates.getSecond())[0]);
        return jsonWebSignature.getCompactSerialization();
    }

    public static JwsResult validateSignature(@Nonnull String str, @Nonnull List<X509Certificate> list, @Nonnull AlgorithmConstraints algorithmConstraints) throws JoseException, IOException {
        JsonWebSignature jsonWebSignature = new JsonWebSignature();
        jsonWebSignature.setCompactSerialization(str);
        jsonWebSignature.setAlgorithmConstraints(algorithmConstraints);
        Key key = null;
        List certificateChainHeaderValue = jsonWebSignature.getCertificateChainHeaderValue();
        String x509CertSha256ThumbprintHeaderValue = jsonWebSignature.getX509CertSha256ThumbprintHeaderValue();
        if (certificateChainHeaderValue != null) {
            log.debug("Found x509 certificate in JOSE header ... ");
            log.trace("Sorting received X509 certificates ... ");
            List sortCertificates = X509Utils.sortCertificates(certificateChainHeaderValue);
            if (list.contains(sortCertificates.get(0))) {
                key = ((X509Certificate) sortCertificates.get(0)).getPublicKey();
            } else {
                log.info("Can NOT find JOSE certificate in truststore.");
                if (log.isDebugEnabled()) {
                    try {
                        log.debug("Cert: {}", Base64Utils.encodeToString(((X509Certificate) sortCertificates.get(0)).getEncoded()));
                    } catch (CertificateEncodingException e) {
                        log.warn("Can not create DEBUG output", e);
                    }
                }
            }
        } else {
            if (!StringUtils.isNotEmpty(x509CertSha256ThumbprintHeaderValue)) {
                throw new JoseException("JWS contains NO signature certificate or NO certificate fingerprint");
            }
            log.debug("Found x5t256 fingerprint in JOSE header .... ");
            key = new X509VerificationKeyResolver(list).resolveKey(jsonWebSignature, Collections.emptyList());
        }
        if (key == null) {
            throw new JoseException("Can NOT select verification key for JWS. Signature verification FAILED");
        }
        jsonWebSignature.setKey(key);
        return new JwsResult(jsonWebSignature.verifySignature(), jsonWebSignature.getUnverifiedPayload(), jsonWebSignature.getHeaders(), certificateChainHeaderValue);
    }

    private static String getKeyOperationAlgorithmFromCredential(Key key, String str, String str2, String str3) throws EaafKeyUsageException {
        if (key instanceof RSAPrivateKey) {
            return str;
        }
        if (key instanceof ECPrivateKey) {
            return str2;
        }
        log.warn("Could NOT select the cryptographic algorithm from Private-Key type");
        throw new EaafKeyUsageException("internal.key.01", new String[]{str3, "Can not select cryptographic algorithm"});
    }

    private JoseUtils() {
    }
}
