package org.keycloak.protocol.oid4vc.issuance.keybinding;

import java.io.IOException;
import java.nio.charset.StandardCharsets;
import java.util.Arrays;
import java.util.Objects;
import java.util.Optional;
import org.keycloak.common.VerificationException;
import org.keycloak.crypto.SignatureVerifierContext;
import org.keycloak.jose.jwk.JWK;
import org.keycloak.jose.jws.JWSHeader;
import org.keycloak.jose.jws.JWSInput;
import org.keycloak.jose.jws.JWSInputException;
import org.keycloak.models.KeycloakSession;
import org.keycloak.protocol.oid4vc.issuance.OID4VCIssuerWellKnownProvider;
import org.keycloak.protocol.oid4vc.issuance.VCIssuanceContext;
import org.keycloak.protocol.oid4vc.issuance.VCIssuerException;
import org.keycloak.protocol.oid4vc.model.Proof;
import org.keycloak.protocol.oid4vc.model.ProofType;
import org.keycloak.representations.AccessToken;
import org.keycloak.util.JsonSerialization;

/* loaded from: input_file:org/keycloak/protocol/oid4vc/issuance/keybinding/JwtProofValidator.class */
public class JwtProofValidator extends AbstractProofValidator {
    public static final String PROOF_JWT_TYP = "openid4vci-proof+jwt";
    private static final String CRYPTOGRAPHIC_BINDING_METHOD_JWK = "jwk";

    /* JADX INFO: Access modifiers changed from: protected */
    public JwtProofValidator(KeycloakSession keycloakSession) {
        super(keycloakSession);
    }

    @Override // org.keycloak.protocol.oid4vc.issuance.keybinding.ProofValidator
    public JWK validateProof(VCIssuanceContext vCIssuanceContext) throws VCIssuerException {
        try {
            return validateJwtProof(vCIssuanceContext);
        } catch (JWSInputException | VerificationException | IOException e) {
            throw new VCIssuerException("Could not validate proof", e);
        }
    }

    private JWK validateJwtProof(VCIssuanceContext vCIssuanceContext) throws VCIssuerException, JWSInputException, VerificationException, IOException {
        Optional<Proof> proofFromContext = getProofFromContext(vCIssuanceContext);
        if (proofFromContext.isEmpty()) {
            return null;
        }
        checkCryptographicKeyBinding(vCIssuanceContext);
        JWSInput jwsInput = getJwsInput(proofFromContext.get());
        JWSHeader header = jwsInput.getHeader();
        validateJwsHeader(vCIssuanceContext, header);
        JWK jwk = (JWK) Optional.ofNullable(header.getKey()).orElseThrow(() -> {
            return new VCIssuerException("Missing binding key. Make sure provided JWT contains the jwk jwsHeader claim.");
        });
        validateProofPayload(vCIssuanceContext, (AccessToken) JsonSerialization.readValue(jwsInput.getContent(), AccessToken.class));
        SignatureVerifierContext verifier = getVerifier(jwk, header.getAlgorithm().name());
        if (verifier == null) {
            throw new VCIssuerException("No verifier configured for " + String.valueOf(header.getAlgorithm()));
        }
        if (verifier.verify(jwsInput.getEncodedSignatureInput().getBytes(StandardCharsets.UTF_8), jwsInput.getSignature())) {
            return jwk;
        }
        throw new VCIssuerException("Could not verify provided proof");
    }

    private void checkCryptographicKeyBinding(VCIssuanceContext vCIssuanceContext) {
        if (vCIssuanceContext.getCredentialConfig().getCryptographicBindingMethodsSupported() == null || !vCIssuanceContext.getCredentialConfig().getCryptographicBindingMethodsSupported().contains(CRYPTOGRAPHIC_BINDING_METHOD_JWK)) {
            throw new IllegalStateException("This SD-JWT implementation only supports jwk as cryptographic binding method");
        }
    }

    private Optional<Proof> getProofFromContext(VCIssuanceContext vCIssuanceContext) throws VCIssuerException {
        return Optional.ofNullable(vCIssuanceContext.getCredentialConfig()).map((v0) -> {
            return v0.getProofTypesSupported();
        }).flatMap(proofTypesSupported -> {
            Optional.ofNullable(proofTypesSupported.getJwt()).orElseThrow(() -> {
                return new VCIssuerException("SD-JWT supports only jwt proof type.");
            });
            Proof proof = (Proof) Optional.ofNullable(vCIssuanceContext.getCredentialRequest().getProof()).orElseThrow(() -> {
                return new VCIssuerException("Credential configuration requires a proof of type: jwt");
            });
            if (Objects.equals(proof.getProofType(), ProofType.JWT)) {
                return Optional.of(proof);
            }
            throw new VCIssuerException("Wrong proof type");
        });
    }

    private JWSInput getJwsInput(Proof proof) throws JWSInputException {
        return new JWSInput(proof.getJwt());
    }

    private void validateJwsHeader(VCIssuanceContext vCIssuanceContext, JWSHeader jWSHeader) throws VCIssuerException {
        Optional.ofNullable(jWSHeader.getAlgorithm()).orElseThrow(() -> {
            return new VCIssuerException("Missing jwsHeader claim alg");
        });
        Optional.ofNullable(vCIssuanceContext.getCredentialConfig()).map((v0) -> {
            return v0.getProofTypesSupported();
        }).map((v0) -> {
            return v0.getJwt();
        }).map((v0) -> {
            return v0.getProofSigningAlgValuesSupported();
        }).filter(list -> {
            return list.contains(jWSHeader.getAlgorithm().name());
        }).orElseThrow(() -> {
            return new VCIssuerException("Proof signature algorithm not supported: " + jWSHeader.getAlgorithm().name());
        });
        Optional.ofNullable(jWSHeader.getType()).filter(str -> {
            return Objects.equals(PROOF_JWT_TYP, str);
        }).orElseThrow(() -> {
            return new VCIssuerException("JWT type must be: openid4vci-proof+jwt");
        });
        Optional.ofNullable(jWSHeader.getKeyId()).ifPresent(str2 -> {
            throw new VCIssuerException("KeyId not expected in this JWT. Use the jwk claim instead.");
        });
    }

    private void validateProofPayload(VCIssuanceContext vCIssuanceContext, AccessToken accessToken) throws VCIssuerException {
        String issuer = OID4VCIssuerWellKnownProvider.getIssuer(this.keycloakSession.getContext());
        Optional.ofNullable(accessToken.getAudience()).map((v0) -> {
            return Arrays.asList(v0);
        }).filter(list -> {
            return list.contains(issuer);
        }).orElseThrow(() -> {
            return new VCIssuerException("Proof not produced for this audience. Audience claim must be: " + issuer + " but are " + String.valueOf(Arrays.asList(accessToken.getAudience())));
        });
        Optional.ofNullable(accessToken.getIat()).orElseThrow(() -> {
            return new VCIssuerException("Missing proof issuing time. iat claim must be provided.");
        });
        Optional.ofNullable(vCIssuanceContext.getAuthResult().getToken().getNonce()).ifPresent(str -> {
            Optional.ofNullable(accessToken.getNonce()).filter(str -> {
                return Objects.equals(str, str);
            }).orElseThrow(() -> {
                return new VCIssuerException("Missing or wrong nonce value. Please provide nonce returned by the issuer if any.");
            });
        });
    }
}
