package de.governikus.autent.eudiwallet.keycloak.provider.signingservices;

import de.governikus.autent.eudiwallet.ecdh.KeyService;
import de.governikus.autent.eudiwallet.keycloak.constants.Constants;
import de.governikus.autent.eudiwallet.keycloak.constants.StaticContext;
import de.governikus.autent.eudiwallet.keycloak.constants.UtilityMethods;
import de.governikus.autent.eudiwallet.keycloak.models.CredentialRequest;
import de.governikus.autent.eudiwallet.keycloak.models.MdocNameSpaces;
import de.governikus.autent.eudiwallet.mdl.MdocDeviceSigned;
import de.governikus.autent.eudiwallet.mdl.MdocIssuerSigned;
import de.governikus.autent.eudiwallet.mdl.MdocResponse;
import java.security.KeyPair;
import java.security.PrivateKey;
import java.security.PublicKey;
import java.security.cert.X509Certificate;
import java.security.interfaces.ECPrivateKey;
import java.util.List;
import java.util.Map;
import org.keycloak.common.util.CertificateUtils;
import org.keycloak.crypto.KeyWrapper;
import org.keycloak.jose.jwk.JWKBuilder;
import org.keycloak.models.ClientScopeModel;
import org.keycloak.models.KeycloakSession;
import org.keycloak.util.JWKSUtils;
import org.keycloak.util.JsonSerialization;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:de/governikus/autent/eudiwallet/keycloak/provider/signingservices/MdocSigningProvider.class */
public class MdocSigningProvider implements OpenId4VciSigningProvider<MdocNameSpaces> {
    private static final Logger log = LoggerFactory.getLogger(MdocSigningProvider.class);
    private final KeycloakSession keycloakSession;

    @Override // de.governikus.autent.eudiwallet.keycloak.provider.signingservices.OpenId4VciSigningProvider
    public String signCredential(ClientScopeModel clientScopeModel, MdocNameSpaces mdocNameSpaces) {
        KeyPair generatePpEphKeyPair = generatePpEphKeyPair();
        MdocIssuerSigned createIssuerAuth = createIssuerAuth(clientScopeModel, generatePpEphKeyPair);
        CredentialRequest credentialRequest = (CredentialRequest) this.keycloakSession.getAttribute(Constants.ProtocolAttributes.CREDENTIAL_REQUEST, CredentialRequest.class);
        return new MdocResponse(new MdocDeviceSigned(mdocNameSpaces.getClaims(), credentialRequest.getSessionTranscript()).getDeviceSigned(KeyService.deriveKeyFrom(generatePpEphKeyPair.getPrivate(), (PublicKey) JWKSUtils.getKeyWrapper(credentialRequest.getRelyingPartyEphemeralPublicKey()).getPublicKey())), createIssuerAuth.getIssuerSigned()).formatInBase64Url();
    }

    private MdocIssuerSigned createIssuerAuth(ClientScopeModel clientScopeModel, KeyPair keyPair) {
        Map map = (Map) JsonSerialization.mapper.convertValue(JWKBuilder.create().ec(keyPair.getPublic()), Map.class);
        KeyWrapper pidProviderSigningKey = UtilityMethods.getPidProviderSigningKey(this.keycloakSession, clientScopeModel);
        return new MdocIssuerSigned("ES256", map, getX5chain(clientScopeModel, pidProviderSigningKey, keyPair), (ECPrivateKey) pidProviderSigningKey.getPrivateKey());
    }

    private List<X509Certificate> getX5chain(ClientScopeModel clientScopeModel, KeyWrapper keyWrapper, KeyPair keyPair) {
        doMissingCertificateWorkaround(clientScopeModel.getRealm(), keyWrapper);
        return List.of(CertificateUtils.generateV3Certificate(keyPair, (PrivateKey) keyWrapper.getPrivateKey(), keyWrapper.getCertificate(), StaticContext.getIssuer(this.keycloakSession)), keyWrapper.getCertificate());
    }

    public MdocSigningProvider(KeycloakSession keycloakSession) {
        this.keycloakSession = keycloakSession;
    }

    @Override // de.governikus.autent.eudiwallet.keycloak.provider.signingservices.OpenId4VciSigningProvider
    public KeycloakSession getKeycloakSession() {
        return this.keycloakSession;
    }
}
