package at.asitplus.wallet.lib.openid;

import at.asitplus.openid.AuthenticationRequestParameters;
import at.asitplus.openid.OpenIdConstants;
import at.asitplus.openid.RequestParametersFrom;
import at.asitplus.signum.indispensable.pki.AlternativeNames;
import at.asitplus.signum.indispensable.pki.X509Certificate;
import at.asitplus.signum.indispensable.pki.X509CertificateExtension;
import at.asitplus.signum.indispensable.pki.X509CertificateKt;
import at.asitplus.wallet.lib.oidvci.DefaultMapStore;
import at.asitplus.wallet.lib.oidvci.MapStore;
import at.asitplus.wallet.lib.oidvci.OAuth2Exception;
import io.github.aakira.napier.Napier;
import io.ktor.http.URLUtilsKt;
import io.ktor.http.Url;
import java.util.List;
import kotlin.Metadata;
import kotlin.collections.CollectionsKt;
import kotlin.jvm.internal.DefaultConstructorMarker;
import kotlin.jvm.internal.Intrinsics;

/* compiled from: AuthorizationRequestValidator.kt */
@Metadata(d1 = {"\u0000@\n\u0002\u0018\u0002\n\u0002\u0010\u0000\n\u0000\n\u0002\u0018\u0002\n\u0002\u0010\u000e\n\u0002\b\u0003\n\u0002\u0010\u0002\n\u0000\n\u0002\u0018\u0002\n\u0002\u0018\u0002\n\u0002\b\u0002\n\u0002\u0010\u000b\n\u0002\b\u0002\n\u0002\u0018\u0002\n\u0002\b\u0003\n\u0002\u0018\u0002\n\u0002\b\u0002\b\u0000\u0018\u00002\u00020\u0001B\u001d\u0012\u0014\b\u0002\u0010\u0002\u001a\u000e\u0012\u0004\u0012\u00020\u0004\u0012\u0004\u0012\u00020\u00040\u0003¢\u0006\u0004\b\u0005\u0010\u0006J\u001c\u0010\u0007\u001a\u00020\b2\f\u0010\t\u001a\b\u0012\u0004\u0012\u00020\u000b0\nH\u0086@¢\u0006\u0002\u0010\fJ\u0012\u0010\r\u001a\u00020\u000e*\b\u0012\u0004\u0012\u00020\u000b0\nH\u0002J\f\u0010\u000f\u001a\u00020\b*\u00020\u000bH\u0002J\u000e\u0010\u0010\u001a\u00020\u000e*\u0004\u0018\u00010\u0011H\u0002J\f\u0010\u0012\u001a\u00020\b*\u00020\u000bH\u0002J\u0012\u0010\u0013\u001a\u00020\b*\b\u0012\u0004\u0012\u00020\u000b0\nH\u0002J\u000e\u0010\u0014\u001a\u00020\u000e*\u0004\u0018\u00010\u0015H\u0002J\f\u0010\u0016\u001a\u00020\b*\u00020\u000bH\u0002R\u001a\u0010\u0002\u001a\u000e\u0012\u0004\u0012\u00020\u0004\u0012\u0004\u0012\u00020\u00040\u0003X\u0082\u0004¢\u0006\u0002\n\u0000¨\u0006\u0017"}, d2 = {"Lat/asitplus/wallet/lib/openid/AuthorizationRequestValidator;", "", "walletNonceMapStore", "Lat/asitplus/wallet/lib/oidvci/MapStore;", "", "<init>", "(Lat/asitplus/wallet/lib/oidvci/MapStore;)V", "validateAuthorizationRequest", "", "request", "Lat/asitplus/openid/RequestParametersFrom;", "Lat/asitplus/openid/AuthenticationRequestParameters;", "(Lat/asitplus/openid/RequestParametersFrom;Lkotlin/coroutines/Continuation;)Ljava/lang/Object;", "isFromRequestObject", "", "verifyRedirectUrl", "isAnyX509", "Lat/asitplus/openid/OpenIdConstants$ClientIdScheme;", "verifyClientMetadata", "verifyClientIdSchemeX509", "isAnyDirectPost", "Lat/asitplus/openid/OpenIdConstants$ResponseMode;", "verifyResponseModeDirectPost", "vck-openid_release"}, k = 1, mv = {2, 1, 0}, xi = 48)
/* loaded from: classes3.dex */
public final class AuthorizationRequestValidator {
    private final MapStore<String, String> walletNonceMapStore;

    /* JADX WARN: Multi-variable type inference failed */
    public AuthorizationRequestValidator() {
        this(null, 1, 0 == true ? 1 : 0);
    }

    public AuthorizationRequestValidator(MapStore<String, String> walletNonceMapStore) {
        Intrinsics.checkNotNullParameter(walletNonceMapStore, "walletNonceMapStore");
        this.walletNonceMapStore = walletNonceMapStore;
    }

    public /* synthetic */ AuthorizationRequestValidator(DefaultMapStore defaultMapStore, int i, DefaultConstructorMarker defaultConstructorMarker) {
        this((i & 1) != 0 ? new DefaultMapStore() : defaultMapStore);
    }

    private final boolean isAnyDirectPost(OpenIdConstants.ResponseMode responseMode) {
        return Intrinsics.areEqual(responseMode, OpenIdConstants.ResponseMode.DirectPost.INSTANCE) || Intrinsics.areEqual(responseMode, OpenIdConstants.ResponseMode.DirectPostJwt.INSTANCE);
    }

    private final boolean isAnyX509(OpenIdConstants.ClientIdScheme clientIdScheme) {
        return Intrinsics.areEqual(clientIdScheme, OpenIdConstants.ClientIdScheme.X509SanDns.INSTANCE) || Intrinsics.areEqual(clientIdScheme, OpenIdConstants.ClientIdScheme.X509SanUri.INSTANCE);
    }

    private final boolean isFromRequestObject(RequestParametersFrom<AuthenticationRequestParameters> requestParametersFrom) {
        return (requestParametersFrom instanceof RequestParametersFrom.Json) || (requestParametersFrom instanceof RequestParametersFrom.JwsSigned);
    }

    private final void verifyClientIdSchemeX509(RequestParametersFrom<AuthenticationRequestParameters> requestParametersFrom) throws OAuth2Exception {
        List<X509Certificate> certificateChain;
        List<String> uris;
        List<String> dnsNames;
        Url Url;
        OpenIdConstants.ClientIdScheme clientIdSchemeExtracted = requestParametersFrom.getParameters().getClientIdSchemeExtracted();
        boolean isAnyDirectPost = isAnyDirectPost(requestParametersFrom.getParameters().getResponseMode());
        String str = "client_id_scheme is " + clientIdSchemeExtracted;
        if (requestParametersFrom instanceof RequestParametersFrom.JwsSigned) {
            RequestParametersFrom.JwsSigned jwsSigned = (RequestParametersFrom.JwsSigned) requestParametersFrom;
            if (jwsSigned.getJwsSigned().getHeader().getCertificateChain() != null && ((certificateChain = jwsSigned.getJwsSigned().getHeader().getCertificateChain()) == null || !certificateChain.isEmpty())) {
                List<X509Certificate> certificateChain2 = jwsSigned.getJwsSigned().getHeader().getCertificateChain();
                Intrinsics.checkNotNull(certificateChain2);
                X509Certificate leaf = X509CertificateKt.getLeaf(certificateChain2);
                if (leaf.getTbsCertificate().getExtensions() != null) {
                    List<X509CertificateExtension> extensions = leaf.getTbsCertificate().getExtensions();
                    Intrinsics.checkNotNull(extensions);
                    if (!extensions.isEmpty()) {
                        if (!Intrinsics.areEqual(clientIdSchemeExtracted, OpenIdConstants.ClientIdScheme.X509SanDns.INSTANCE)) {
                            AlternativeNames subjectAlternativeNames = leaf.getTbsCertificate().getSubjectAlternativeNames();
                            if (subjectAlternativeNames == null || (uris = subjectAlternativeNames.getUris()) == null) {
                                Napier.w$default(Napier.INSTANCE, str + ", but no URIs were found in the leaf certificate", (Throwable) null, (String) null, 6, (Object) null);
                                throw new OAuth2Exception(OpenIdConstants.Errors.INVALID_REQUEST, "no SAN in x5c");
                            }
                            if (!CollectionsKt.contains(uris, ((AuthenticationRequestParameters) jwsSigned.getParameters()).getClientIdWithoutPrefix())) {
                                Napier.w$default(Napier.INSTANCE, str + ", but client_id does not match any URIs in the leaf certificate", (Throwable) null, (String) null, 6, (Object) null);
                                throw new OAuth2Exception(OpenIdConstants.Errors.INVALID_REQUEST, "client_id not in SAN in x5c");
                            }
                            if (Intrinsics.areEqual(((AuthenticationRequestParameters) jwsSigned.getParameters()).getClientIdWithoutPrefix(), ((AuthenticationRequestParameters) jwsSigned.getParameters()).getRedirectUrl())) {
                                return;
                            }
                            Napier.w$default(Napier.INSTANCE, str + ", but client_id " + ((AuthenticationRequestParameters) jwsSigned.getParameters()).getClientId() + " does not match redirect_uri " + ((AuthenticationRequestParameters) jwsSigned.getParameters()).getRedirectUrl(), (Throwable) null, (String) null, 6, (Object) null);
                            throw new OAuth2Exception(OpenIdConstants.Errors.INVALID_REQUEST, "client_id not in redirect_uri");
                        }
                        AlternativeNames subjectAlternativeNames2 = leaf.getTbsCertificate().getSubjectAlternativeNames();
                        if (subjectAlternativeNames2 == null || (dnsNames = subjectAlternativeNames2.getDnsNames()) == null) {
                            Napier.w$default(Napier.INSTANCE, str + ", but no dnsNames were found in the leaf certificate", (Throwable) null, (String) null, 6, (Object) null);
                            throw new OAuth2Exception(OpenIdConstants.Errors.INVALID_REQUEST, "no dnsNames in x5c");
                        }
                        if (!CollectionsKt.contains(dnsNames, ((AuthenticationRequestParameters) jwsSigned.getParameters()).getClientIdWithoutPrefix())) {
                            Napier.w$default(Napier.INSTANCE, str + ", but client_id does not match any dnsName in the leaf certificate", (Throwable) null, (String) null, 6, (Object) null);
                            throw new OAuth2Exception(OpenIdConstants.Errors.INVALID_REQUEST, "client_id not in dnsNames in x5c");
                        }
                        if (isAnyDirectPost) {
                            return;
                        }
                        String redirectUrl = ((AuthenticationRequestParameters) jwsSigned.getParameters()).getRedirectUrl();
                        if (redirectUrl == null || (Url = URLUtilsKt.Url(redirectUrl)) == null) {
                            Napier.w$default(Napier.INSTANCE, str + ", but no redirect_url was provided", (Throwable) null, (String) null, 6, (Object) null);
                            throw new OAuth2Exception(OpenIdConstants.Errors.INVALID_REQUEST, "redirect_uri is null");
                        }
                        if (Intrinsics.areEqual(Url.getHost(), ((AuthenticationRequestParameters) jwsSigned.getParameters()).getClientIdWithoutPrefix())) {
                            return;
                        }
                        Napier.w$default(Napier.INSTANCE, str + ", but redirect_uri " + Url + " does not match client_id " + ((AuthenticationRequestParameters) jwsSigned.getParameters()).getClientIdWithoutPrefix(), (Throwable) null, (String) null, 6, (Object) null);
                        throw new OAuth2Exception(OpenIdConstants.Errors.INVALID_REQUEST, "client_id not in redirect_uri");
                    }
                }
                Napier.w$default(Napier.INSTANCE, str + ", but no extensions were found in the leaf certificate", (Throwable) null, (String) null, 6, (Object) null);
                throw new OAuth2Exception(OpenIdConstants.Errors.INVALID_REQUEST, "no extensions in x5c");
            }
        }
        Napier.w$default(Napier.INSTANCE, str + ", but metadata is not set and no x5c certificate chain is present", (Throwable) null, (String) null, 6, (Object) null);
        throw new OAuth2Exception(OpenIdConstants.Errors.INVALID_REQUEST, "x5c is null");
    }

    private final void verifyClientMetadata(AuthenticationRequestParameters authenticationRequestParameters) throws OAuth2Exception {
        if (authenticationRequestParameters.getClientMetadata() == null && authenticationRequestParameters.getClientMetadataUri() == null) {
            Napier.w$default(Napier.INSTANCE, "client_id_scheme is redirect_uri, but metadata is not set", (Throwable) null, (String) null, 6, (Object) null);
            throw new OAuth2Exception(OpenIdConstants.Errors.INVALID_REQUEST, "client_metadata is null");
        }
    }

    private final void verifyRedirectUrl(AuthenticationRequestParameters authenticationRequestParameters) throws OAuth2Exception {
        if (authenticationRequestParameters.getRedirectUrl() == null || Intrinsics.areEqual(authenticationRequestParameters.getClientIdWithoutPrefix(), authenticationRequestParameters.getRedirectUrl())) {
            return;
        }
        Napier.w$default(Napier.INSTANCE, "client_id does not match redirect_uri", (Throwable) null, (String) null, 6, (Object) null);
        throw new OAuth2Exception(OpenIdConstants.Errors.INVALID_REQUEST, "client_id not matching redirect_uri");
    }

    private final void verifyResponseModeDirectPost(AuthenticationRequestParameters authenticationRequestParameters) throws OAuth2Exception {
        if (authenticationRequestParameters.getRedirectUrl() != null) {
            Napier.w$default(Napier.INSTANCE, "response_mode is " + authenticationRequestParameters.getResponseMode() + ", but redirect_url is set", (Throwable) null, (String) null, 6, (Object) null);
            throw new OAuth2Exception(OpenIdConstants.Errors.INVALID_REQUEST, "redirect_uri is set");
        }
        if (authenticationRequestParameters.getResponseUrl() != null) {
            return;
        }
        Napier.w$default(Napier.INSTANCE, "response_mode is " + authenticationRequestParameters.getResponseMode() + ", but response_url is not set", (Throwable) null, (String) null, 6, (Object) null);
        throw new OAuth2Exception(OpenIdConstants.Errors.INVALID_REQUEST, "response_url is null");
    }

    /* JADX WARN: Removed duplicated region for block: B:12:0x0101  */
    /* JADX WARN: Removed duplicated region for block: B:19:0x0039  */
    /* JADX WARN: Removed duplicated region for block: B:8:0x0026  */
    /*
        Code decompiled incorrectly, please refer to instructions dump.
        To view partially-correct add '--show-bad-code' argument
    */
    public final java.lang.Object validateAuthorizationRequest(at.asitplus.openid.RequestParametersFrom<at.asitplus.openid.AuthenticationRequestParameters> r12, kotlin.coroutines.Continuation<? super kotlin.Unit> r13) throws at.asitplus.wallet.lib.oidvci.OAuth2Exception, java.util.concurrent.CancellationException {
        /*
            Method dump skipped, instructions count: 319
            To view this dump add '--comments-level debug' option
        */
        throw new UnsupportedOperationException("Method not decompiled: at.asitplus.wallet.lib.openid.AuthorizationRequestValidator.validateAuthorizationRequest(at.asitplus.openid.RequestParametersFrom, kotlin.coroutines.Continuation):java.lang.Object");
    }
}
