package org.keycloak.sdjwt;

import com.fasterxml.jackson.databind.JsonNode;
import java.io.IOException;
import java.time.Instant;
import java.util.List;
import java.util.Objects;
import org.keycloak.OAuth2Constants;
import org.keycloak.common.VerificationException;
import org.keycloak.crypto.SignatureSignerContext;
import org.keycloak.crypto.SignatureVerifierContext;
import org.keycloak.jose.jws.JWSBuilder;
import org.keycloak.jose.jws.JWSHeader;
import org.keycloak.jose.jws.JWSInput;
import org.keycloak.jose.jws.JWSInputException;
import org.keycloak.representations.docker.DockerAccess;

/* loaded from: input_file:org/keycloak/sdjwt/SdJws.class */
public abstract class SdJws {
    private final JWSInput jwsInput;
    private final JsonNode payload;

    public String toJws() {
        if (this.jwsInput == null) {
            throw new IllegalStateException("JWS not yet signed");
        }
        return this.jwsInput.getWireString();
    }

    public JsonNode getPayload() {
        return this.payload;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public SdJws(JsonNode jsonNode) {
        this.payload = jsonNode;
        this.jwsInput = null;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public SdJws(String str) {
        this.jwsInput = parse(str);
        this.payload = readPayload(this.jwsInput);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public SdJws(JsonNode jsonNode, JWSInput jWSInput) {
        this.payload = jsonNode;
        this.jwsInput = jWSInput;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public SdJws(JsonNode jsonNode, SignatureSignerContext signatureSignerContext, String str) {
        this.payload = jsonNode;
        this.jwsInput = sign(jsonNode, signatureSignerContext, str);
    }

    protected static JWSInput sign(JsonNode jsonNode, SignatureSignerContext signatureSignerContext, String str) {
        return parse(new JWSBuilder().type(str).jsonContent(jsonNode).sign(signatureSignerContext));
    }

    public void verifySignature(SignatureVerifierContext signatureVerifierContext) throws VerificationException {
        Objects.requireNonNull(signatureVerifierContext, "verifier must not be null");
        try {
            if (signatureVerifierContext.verify(this.jwsInput.getEncodedSignatureInput().getBytes(DockerAccess.DECODE_ENCODING), this.jwsInput.getSignature())) {
            } else {
                throw new VerificationException("Invalid jws signature");
            }
        } catch (Exception e) {
            throw new VerificationException(e);
        }
    }

    private static final JWSInput parse(String str) {
        try {
            return new JWSInput((String) Objects.requireNonNull(str, "jwsString must not be null"));
        } catch (JWSInputException e) {
            throw new RuntimeException(e);
        }
    }

    private static final JsonNode readPayload(JWSInput jWSInput) {
        try {
            return SdJwtUtils.mapper.readTree(jWSInput.getContent());
        } catch (IOException e) {
            throw new RuntimeException(e);
        }
    }

    public JWSHeader getHeader() {
        return this.jwsInput.getHeader();
    }

    public void verifyIssuedAtClaim() throws VerificationException {
        if (Instant.now().getEpochSecond() < SdJwtUtils.readTimeClaim(this.payload, "iat")) {
            throw new VerificationException("jwt issued in the future");
        }
    }

    public void verifyExpClaim() throws VerificationException {
        if (Instant.now().getEpochSecond() >= SdJwtUtils.readTimeClaim(this.payload, "exp")) {
            throw new VerificationException("jwt has expired");
        }
    }

    public void verifyNotBeforeClaim() throws VerificationException {
        if (Instant.now().getEpochSecond() < SdJwtUtils.readTimeClaim(this.payload, "nbf")) {
            throw new VerificationException("jwt not valid yet");
        }
    }

    public void verifyAge(int i) throws VerificationException {
        if (Instant.now().getEpochSecond() - SdJwtUtils.readTimeClaim(getPayload(), "iat") > i) {
            throw new VerificationException("jwt is too old");
        }
    }

    public void verifyIssClaim(List<String> list) throws VerificationException {
        verifyClaimAgainstTrustedValues(list, OAuth2Constants.ISSUER);
    }

    public void verifyVctClaim(List<String> list) throws VerificationException {
        verifyClaimAgainstTrustedValues(list, "vct");
    }

    private void verifyClaimAgainstTrustedValues(List<String> list, String str) throws VerificationException {
        String readClaim = SdJwtUtils.readClaim(this.payload, str);
        if (!list.contains(readClaim)) {
            throw new VerificationException(String.format("Unknown '%s' claim value: %s", str, readClaim));
        }
    }
}
