package org.keycloak.protocol.oid4vc.issuance.signing;

import java.io.IOException;
import java.util.Map;
import java.util.Optional;
import org.jboss.logging.Logger;
import org.keycloak.common.VerificationException;
import org.keycloak.crypto.KeyWrapper;
import org.keycloak.crypto.SignatureProvider;
import org.keycloak.crypto.SignatureSignerContext;
import org.keycloak.jose.jwk.JWK;
import org.keycloak.jose.jws.JWSInputException;
import org.keycloak.models.KeycloakSession;
import org.keycloak.protocol.oid4vc.issuance.VCIssuanceContext;
import org.keycloak.protocol.oid4vc.issuance.VCIssuerException;
import org.keycloak.protocol.oid4vc.issuance.credentialbuilder.CredentialBody;
import org.keycloak.protocol.oid4vc.issuance.credentialbuilder.SdJwtCredentialBody;
import org.keycloak.protocol.oid4vc.model.CredentialConfigId;
import org.keycloak.protocol.oid4vc.model.VerifiableCredentialType;

/* loaded from: input_file:org/keycloak/protocol/oid4vc/issuance/signing/SdJwtSigningService.class */
public class SdJwtSigningService extends JwtProofBasedSigningService<String> {
    private static final Logger LOGGER = Logger.getLogger(SdJwtSigningService.class);
    private static final String JWK_CLAIM = "jwk";
    private final SignatureSignerContext signatureSignerContext;
    private final CredentialConfigId vcConfigId;
    private final VerifiableCredentialType vct;

    public SdJwtSigningService(KeycloakSession keycloakSession, String str, String str2, Optional<String> optional, VerifiableCredentialType verifiableCredentialType, CredentialConfigId credentialConfigId) {
        super(keycloakSession, str, "vc+sd-jwt", str2);
        this.vcConfigId = credentialConfigId;
        this.vct = verifiableCredentialType;
        if (this.vcConfigId != null && this.vct == null) {
            throw new SigningServiceException(String.format("Missing vct for credential config id %s.", credentialConfigId));
        }
        KeyWrapper key = getKey(str, str2);
        if (key == null) {
            throw new SigningServiceException(String.format("No key for id %s and algorithm %s available.", str, str2));
        }
        if (optional.isPresent()) {
            key = key.cloneKey();
            key.setKid(str);
        }
        this.signatureSignerContext = keycloakSession.getProvider(SignatureProvider.class, str2).signer(key);
        LOGGER.debugf("Successfully initiated the SD-JWT Signing Service with algorithm %s.", str2);
    }

    @Override // org.keycloak.protocol.oid4vc.issuance.signing.VerifiableCredentialsSigningService
    public String signCredential(VCIssuanceContext vCIssuanceContext) throws VCIssuerException {
        CredentialBody credentialBody = vCIssuanceContext.getCredentialBody();
        if (!(credentialBody instanceof SdJwtCredentialBody)) {
            throw new VCIssuerException("Credential body unexpectedly not of type SdJwtCredentialBody");
        }
        SdJwtCredentialBody sdJwtCredentialBody = (SdJwtCredentialBody) credentialBody;
        try {
            JWK validateProof = validateProof(vCIssuanceContext);
            if (validateProof != null) {
                sdJwtCredentialBody.addCnfClaim(Map.of(JWK_CLAIM, validateProof));
            }
            return sdJwtCredentialBody.sign(this.signatureSignerContext);
        } catch (JWSInputException | VerificationException | IOException e) {
            throw new VCIssuerException("Can not verify proof", e);
        }
    }

    @Override // org.keycloak.protocol.oid4vc.issuance.signing.SigningService, org.keycloak.protocol.oid4vc.issuance.signing.VerifiableCredentialsSigningService
    public String locator() {
        return VerifiableCredentialsSigningService.locator(this.format, this.vct, this.vcConfigId);
    }
}
